UNCcontent.ie5
content.ie5 时间:2021-05-17 阅读:()
$STANDARD_INFORMATION$FILENAMEWindowsForensicAnalysisPOSTERYouCan'tProtectWhatYouDon'tKnowAboutdigital-forensics.
sans.
org$25.
00DFPS_FOR500_v4.
11_0121PosterCreatedbyRobLeewithsupportoftheSANSDFIRFaculty2021RobLee.
AllRightsReserved.
Modied–NoChangeCreation–NoChangeAccess–NoChangeMetadata–TimeofFileRenameFileRenameModied–NoChangeCreation–NoChangeAccess–NoChangeMetadata–NoChangeFileRenameModied–NoChangeCreation–NoChangeAccess–NoChangeMetadata–TimeofLocalFileMoveLocalFileMoveModied–NoChangeCreation–NoChangeAccess–NoChangeMetadata–NoChangeLocalFileMoveModied–InheritedfromOriginalMetadata–InheritedfromOriginalAccess–TimeofFileMoveviaCLICreation–TimeofFileMoveviaCLIVolumeFileMove(moveviaCLI)Modied–TimeofMoveviaCLIAccess–TimeofMoveviaCLIMetadata–TimeofMoveviaCLICreation–TimeofMoveviaCLIVolumeFileMove(moveviaCLI)Modied–InheritedfromOriginalMetadata–InheritedfromOriginalCreation–InheritedfromOriginalAccess–TimeofCut/PasteVolumeFileMove(cut/pasteviaExplorer)Access–TimeofCut/PasteCreation–TimeofCut/PasteModied–TimeofCut/PasteMetadata–TimeofCut/PasteVolumeFileMove(cut/pasteviaExplorer)Modied–InheritedfromOriginalAccess–TimeofFileCopyCreation–TimeofFileCopyMetadata–TimeofFileCopyFileCopyAccess–TimeofFileCopyCreation–TimeofFileCopyModied–TimeofFileCopyMetadata–TimeofFileCopyFileCopyModied–NoChangeMetadata–NoChangeAccess–TimeofAccess(NoChangeonNTFSVolumes>128GB)Creation–NoChangeFileAccessModied–NoChangeMetadata–NoChangeCreation–NoChangeAccess–NoChangeFileAccessModied–TimeofDataModicationMetadata–TimeofDataModicationCreation–NoChangeFileModicationAccess–NoChangeCreation–NoChangeModied–NoChangeMetadata–NoChangeFileModicationAccess–TimeofFileCreationAccess–TimeofDataModicationMetadata–TimeofFileCreationCreation–TimeofFileCreationModied–TimeofFileCreationFileCreationAccess–TimeofFileCreationMetadata–TimeofFileCreationCreation–TimeofFileCreationModied–TimeofFileCreationFileCreationModied–NoChangeMetadata–NoChangeAccess–NoChangeCreation–NoChangeFileDeletionModied–NoChangeMetadata–NoChangeAccess–NoChangeCreation–NoChangeFileDeletionWindowsArtifactAnalysis:Evidenceof.
.
.
UserAssistDescriptionGUI-basedprogramslaunchedfromthedesktoparetrackedinthelauncheronaWindowsSystem.
LocationNTUSER.
DATHIVE:NTUSER.
DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\CountInterpretationAllvaluesareROT-13EncodedGUIDforXP-75048700ActiveDesktopGUIDforWin7/8/10-CEBFF5CDExecutableFileExecution-F4E57C4BShortcutFileExecutionWindows10TimelineDescriptionWin10recordsrecentlyusedapplicationsandlesina"timeline"accessibleviathe"WIN+TAB"key.
ThedataisrecordedinaSQLitedatabase.
LocationC:\Users\\AppData\Local\ConnectedDevicesPlatform\\ActivitiesCache.
dbInterpretationApplicationexecutionFocuscountperapplicationBAM/DAMDescriptionWindowsBackgroundActivityModerator(BAM)LocationWin10:SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}InvestigativeNotesProvidesfullpathoftheexecutablelethatwasrunonthesystemandlastexecutiondate/timeShimcacheDescriptionWindowsApplicationCompatibilityDatabaseisusedbyWindowstoidentifypossibleapplicationcompatibilitychallengeswithexecutables.
Trackstheexecutableslename,lesize,lastmodiedtime,andinWindowsXPthelastupdatetimeLocationXP:SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibilityWin7/8/10:SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCacheInterpretationAnyexecutablerunontheWindowssystemcouldbefoundinthiskey.
Youcanusethiskeytoidentifysystemsthatspecicmalwarewasexecutedon.
Inaddition,basedontheinterpretationofthetime-baseddatayoumightbeabletodeterminethelasttimeofexecutionoractivityonthesystem.
WindowsXPcontainsatmost96entries-LastUpdateTimeisupdatedwhenthelesareexecutedWindows7containsatmost1,024entries-LastUpdateTimedoesnotexistonWin7systemsAmcache.
hveDescriptionProgramDataUpdater(ataskassociatedwiththeApplicationExperienceService)usestheregistryleAmcache.
hvetostoredataduringprocesscreationLocationWin7/8/10:C:\Windows\AppCompat\Programs\Amcache.
hveInterpretationAmcache.
hve–Keys=Amcache.
hve\Root\File\{VolumeGUID}Entryforeveryexecutablerun,fullpathinformation,File's$StandardInfoLastModicationTime,andDiskvolumetheexecutablewasrunfromFirstRunTime=LastModicationTimeofKeySHA1hashofexecutablealsocontainedinthekeySystemResourceUsageMonitor(SRUM)DescriptionRecords30to60daysofhistoricalsystemperformance.
Applicationsrun,useraccountresponsibleforeach,andapplicationandbytessent/receivedperapplicationperhour.
LocationSOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions{d10ca2fe-6fcf-4f6d-848e-b2e99266fa89}=ApplicationResourceUsageProviderC:\Windows\System32\SRU\InterpretationUsetoolsuchassrum_dump.
exetocrosscorrelatethedatabetweentheregistrykeysandtheSRUMESEDatabase.
JumpListsDescriptionTheWindows7taskbar(JumpList)isengineeredtoallowusersto"jump"oraccessitemstheyhavefrequentlyorrecentlyusedquicklyandeasily.
Thisfunctionalitycannotonlyincluderecentmediales;itmustalsoincluderecenttasks.
ThedatastoredintheAutomaticDestinationsfolderwilleachhaveauniqueleprependedwiththeAppIDoftheassociatedapplication.
LocationWin7/8/10:C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinationsInterpretationFirsttimeofexecutionofapplication.
-CreationTime=FirsttimeitemaddedtotheAppIDle.
Lasttimeofexecutionofapplicationw/leopen.
-ModicationTime=LasttimeitemaddedtotheAppIDle.
ListofJumpListIDs->https://dr.
to/EZJumpListLast-VisitedMRUDescriptionTracksthespecicexecutableusedbyanapplicationtoopenthelesdocumentedintheOpenSaveMRUkey.
Inaddition,eachvaluealsotracksthedirectorylocationforthelastlethatwasaccessedbythatapplication.
Example:Notepad.
exewaslastrunusingtheC:\%USERPROFILE%\DesktopfolderLocationXP:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRUWin7/8/10:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRUInterpretationTrackstheapplicationexecutablesusedtoopenlesinOpenSaveMRUandthelastlepathused.
PrefetchDescriptionIncreasesperformanceofasystembypre-loadingcodepagesofcommonlyusedapplications.
CacheManagermonitorsalllesanddirectoriesreferencedforeachapplicationorprocessandmapsthemintoa.
pfle.
Utilizedtoknowanapplicationwasexecutedonasystem.
Limitedto128lesonXPandWin7Limitedto1024lesonWin8(exename)-(hash).
pfLocationWinXP/7/8/10:C:\Windows\PrefetchInterpretationEach.
pfwillincludelasttimeofexecution,numberoftimesrun,anddeviceandlehandlesusedbytheprogramDate/Timelebythatnameandpathwasrstexecuted-CreationDateof.
pfle(-10seconds)Date/Timelebythatnameandpathwaslastexecuted-Embeddedlastexecutiontimeof.
pfle-Lastmodicationdateof.
pfle(-10seconds)-Win8-10willcontainlast8timesofexecutionProgramExecutionXPSearch–ACMRUDescriptionYoucansearchforawiderangeofinformationthroughthesearchassistantonaWindowsXPmachine.
Thesearchassistantwillrememberauser'ssearchtermsforlenames,computers,orwordsthatareinsideale.
Thisisanexampleofwhereyoucanndthe"SearchHistory"ontheWindowssystem.
LocationNTUSER.
DATHIVENTUSER.
DAT\Software\Microsoft\SearchAssistant\ACMru\####InterpretationSearchtheInternet–####=5001Allorpartofadocumentname–####=5603Awordorphraseinale–####=5604Printers,ComputersandPeople–####=5647ThumbcacheDescriptionThumbnailsofpictures,ofcedocuments,andfoldersexistinadatabasecalledthethumbcache.
Eachuserwillhavetheirowndatabasebasedonthethumbnailsizesviewedbytheuser(small,medium,large,andextra-larger)LocationC:\%USERPROFILE%\AppData\Local\Microsoft\Windows\ExplorerInterpretationThesearecreatedwhenauserswitchesafoldertothumbnailmodeorviewspicturesviaaslideshow.
Asitwere,ourthumbsarenowstoredinseparatedatabaseles.
Win7+has4sizesforthumbnailsandthelesinthecachefolderreectthis:-32->small-96->medium-256->large-1024->extralargeThethumbcachewillstorethethumbnailcopyofthepicturebasedonthethumbnailsizeinthecontentoftheequivalentdatabasele.
Thumbs.
dbDescriptionHiddenleindirectorywhereimagesonmachineexiststoredinasmallerthumbnailgraphics.
thumbs.
dbcatalogspicturesinafolderandstoresacopyofthethumbnailevenifthepicturesweredeleted.
LocationWinXP/Win8|8.
1AutomaticallycreatedanywherewithhomegroupenabledWin7/8/10AutomaticallycreatedanywhereandaccessedviaaUNCPath(localorremote)InterpretationInclude:ThumbnailPictureofOriginalPictureDocumentThumbnail–EvenifDeletedLastModicationTime(XPOnly)OriginalFilename(XPOnly)IE|Edgele://DescriptionAlittle-knownfactabouttheIEHistoryisthattheinformationstoredinthehistorylesisnotjustrelatedtoInternetbrowsing.
Thehistoryalsorecordslocalandremote(vianetworkshares)leaccess,givingusanexcellentmeansfordeterminingwhichlesandapplicationswereaccessedonthesystem,daybyday.
LocationInternetExplorer:IE6-7%USERPROFILE%\LocalSettings\History\History.
IE5IE8-9%USERPROFILE%\AppData\Local\Microsoft\WindowsHistory\History.
IE5IE10-11%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datInterpretationStoredinindex.
datas:file:///C:/directory/lename.
extDoesnotmeanlewasopenedinbrowserSearch–WordWheelQueryDescriptionKeywordssearchedforfromtheSTARTmenubaronaWindows7machine.
LocationWin7/8/10NTUSER.
DATHiveNTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQueryInterpretationKeywordsareaddedinUnicodeandlistedintemporalorderinanMRUlistWin7/8/10RecycleBinDescriptionTherecyclebinisaveryimportantlocationonaWindowslesystemtounderstand.
Itcanhelpyouwhenaccomplishingaforensicinvestigation,aseverylethatisdeletedfromaWindowsrecyclebinawareprogramisgenerallyrstputintherecyclebin.
LocationHiddenSystemFolderWin7/8/10C:\$Recycle.
binDeletedTimeandOriginalFilenamecontainedinseparatelesforeachdeletedrecoveryleInterpretationSIDcanbemappedtouserviaRegistryAnalysisWin7/8/10-FilesPrecededby$I######lescontainOriginalPATHandnameDeletionDate/Time-FilesPrecededby$R######lescontainRecoveryDataLast-VisitedMRUDescriptionTracksthespecicexecutableusedbyanapplicationtoopenthelesdocumentedintheOpenSaveMRUkey.
Inaddition,eachvaluealsotracksthedirectorylocationforthelastlethatwasaccessedbythatapplication.
LocationXPNTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRUWin7/8/10NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRUInterpretationTrackstheapplicationexecutablesusedtoopenlesinOpenSaveMRUandthelastlepathused.
XPRecycleBinDescriptionTherecyclebinisaveryimportantlocationonaWindowslesystemtounderstand.
Itcanhelpyouwhenaccomplishingaforensicinvestigation,aseverylethatisdeletedfromaWindowsrecyclebinawareprogramisgenerallyrstputintherecyclebin.
LocationHiddenSystemFolderWindowsXPC:\RECYCLER"2000/NT/XP/2003Subfolderiscreatedwithuser'sSIDHiddenleindirectorycalled"INFO2"INFO2ContainsDeletedTimeandOriginalFilenameFilenameinbothASCIIandUNICODEInterpretationSIDcanbemappedtouserviaRegistryAnalysisMapslenametotheactualnameandpathitwasdeletedfromDeletedFileorFileKnowledgeOpen/SaveMRUDescriptionInthesimplestterms,thiskeytrackslesthathavebeenopenedorsavedwithinaWindowsshelldialogbox.
Thishappenstobeabigdataset,notonlyincludingwebbrowserslikeInternetExplorerandFirefox,butalsoamajorityofcommonlyusedapplications.
LocationXP:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRUWin7/8/10:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRUInterpretationThe"*"key–ThissubkeytracksthemostrecentlesofanyextensioninputinanOpenSavedialog.
(Threeletterextension)–ThissubkeystoresleinfofromtheOpenSavedialogbyspecicextensionEmailAttachmentsDescriptionTheemailindustryestimatesthat80%ofemaildataisstoredviaattachments.
Emailstandardsonlyallowtext.
AttachmentsmustbeencodedwithMIME/base64format.
LocationOutlookXP:%USERPROFILE%\LocalSettings\ApplicationData\Microsoft\OutlookWin7/8/10:%USERPROFILE%\AppData\Local\Microsoft\OutlookInterpretationMSOutlookdatalesfoundintheselocationsincludeOSTandPSTles.
OneshouldalsochecktheOLKandContent.
Outlookfolder,whichmightroamdependingonthespecicversionofOutlookused.
FormoreinformationonwheretondtheOLKfolderthislinkhasahandychart:http://www.
hancockcomputertech.
com/blog/2010/01/06/nd-the-microsoft-outlook-temporary-olk-folderSkypeHistoryDescriptionSkypehistorykeepsalogofchatsessionsandlestransferredfromonemachinetoanotherThisisturnedonbydefaultinSkypeinstallationsLocationXP:C:\DocumentsandSettings\\Application\Skype\Win7/8/10:C:\%USERPROFILE%\AppData\Roaming\Skype\InterpretationEachentrywillhaveadate/timevalueandaSkypeusernameassociatedwiththeaction.
BrowserArtifactsDescriptionNotdirectlyrelatedto"FileDownload".
Detailsstoredforeachlocaluseraccount.
Recordsnumberoftimesvisited(frequency).
LocationInternetExplorerIE8-9:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\index.
datIE10-11:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datFirefoxv3-25:%userprole%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\downloads.
sqlitev26+:%userprole%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\places.
sqliteTable:moz_annosChrome:Win7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\HistoryInterpretationManysitesinhistorywilllistthelesthatwereopenedfromremotesitesanddownloadedtothelocalsystem.
Historywillrecordtheaccesstotheleonthewebsitethatwasaccessedviaalink.
DownloadsDescriptionFirefoxandIEhasabuilt-indownloadmanagerapplicationwhichkeepsahistoryofeveryledownloadedbytheuser.
Thisbrowserartifactcanprovideexcellentinformationaboutwhatsitesauserhasbeenvisitingandwhatkindsoflestheyhavebeendownloadingfromthem.
LocationFirefox:XP:%userprole%\ApplicationData\Mozilla\Firefox\Proles\.
default\downloads.
sqliteWin7/8/10:%userprole%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\downloads.
sqliteInternetExplorer:IE8-9:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\IE10-11:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datInterpretationDownloadswillinclude:Filename,Size,andTypeDownloadfromandReferringPageFileSaveLocationApplicationUsedtoOpenFileDownloadStartandEndTimesADSZone.
IdentiferDescriptionStartingwithXPSP2whenlesaredownloadedfromthe"InternetZone"viaabrowsertoaNTFSvolume,analternatedatastreamisaddedtothele.
Thealternatedatastreamisnamed"Zone.
Identier.
"InterpretationFileswithanADSZone.
IdentierandcontainsZoneID=3weredownloadedfromtheInternetURLZONE_TRUSTED=ZoneID=2URLZONE_INTERNET=ZoneID=3URLZONE_UNTRUSTED=ZoneID=4FileDownloadThe"Evidenceof.
.
.
"categorieswereoriginallycreatedbySANSDigitalForensicsandIncidenceResponsefacultyfortheSANScourseFOR500:WindowsForensicAnalysis.
Thecategoriesmapaspecicartifacttotheanalysisquestionsthatitwillhelptoanswer.
Usethisposterasacheat-sheettohelpyourememberwhereyoucandiscoverkeyWindowsartifactsforcomputerintrusion,intellectualpropertytheft,andothercommoncybercrimeinvestigations.
SEC504HackerTools,Techniques,Exploits,andIncidentHandlingGCIHFOR508AdvancedIncidentResponse,ThreatHunting,andDigitalForensicsGCFAFOR572AdvancedNetworkForensics:ThreatHunting,Analysis,andIncidentResponseGNFAFOR578CyberThreatIntelligenceGCTIFOR610REM:MalwareAnalysisGREMFOR498BattleeldForensics&DataAcquisitionGBFAFOR308DigitalForensicsEssentialsFOR518MacandiOSForensicAnalysisandIncidentResponseFOR500WindowsForensicsGCFEFOR585SmartphoneForensicAnalysisIn-DepthGASFOPERATINGSYSTEM&DEVICEINDEPTHINCIDENTRESPONSE&THREATHUNTING11WindowsTimeRulesbasedoffoftestingonWindows10Releaseversion1903sansforensics@sansforensicsdr.
to/MAIL-LISTTimezoneDescriptionIdentiesthecurrentsystemtimezone.
LocationSYSTEMHive:SYSTEM\CurrentControlSet\Control\TimeZoneInformationInterpretationTimeactivityisincrediblyusefulforcorrelationofactivityInternalloglesanddate/timestampswillbebasedonthesystemtimezoneinformationYoumighthaveothernetworkdevicesandyouwillneedtocorrelateinformationtothetimezoneinformationcollectedhere.
CookiesDescriptionCookiesgiveinsightintowhatwebsiteshavebeenvisitedandwhatactivitiesmayhavetakenplacethere.
LocationInternetExplorerIE6-8:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\CookiesIE10:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\CookiesIE11:%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookiesFirefoxXP:%USERPROFILE%\ApplicationData\Mozilla\Firefox\Proles\.
default\cookies.
sqliteWin7/8/10:%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\cookies.
sqliteChromeXP:%USERPROFILE%\LocalSettings\ApplicationData\Google\Chrome\UserData\Default\LocalStorageWin7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\LocalStorageNetworkHistoryDescriptionIdentifynetworksthatthecomputerhasbeenconnectedtoNetworkscouldbewirelessorwiredIdentifydomainname/intranetnameIdentifySSIDIdentifyGatewayMACAddressLocationWin7/8/10SOFTWAREHIVE:SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Signatures\UnmanagedSOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Signatures\ManagedSOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Nla\CacheInterpretationIdentifyingintranetsandnetworksthatacomputerhasconnectedtoisincrediblyimportantNotonlycanyoudeterminetheintranetname,youcandeterminethelasttimethenetworkwasconnectedtoitbasedonthelastwritetimeofthekeyThiswillalsolistanynetworksthathavebeenconnectedtoviaaVPNMACAddressofSSIDforGatewaycouldbephysicallytriangulatedWLANEventLogDescriptionDeterminewhatwirelessnetworksthesystemassociatedwithandidentifynetworkcharacteristicstondlocationRelevantEventIDs11000–Wirelessnetworkassociationstarted8001–Successfulconnectiontowirelessnetwork8002–Failedconnectiontowirelessnetwork8003–Disconnectfromwirelessnetwork6100–Networkdiagnostics(Systemlog)LocationMicrosoft-Windows-WLAN-AutoCongOperational.
evtxInterpretationShowshistoricalrecordofwirelessnetworkconnectionsContainsSSIDandBSSID(MACaddress),whichcanbeusedtogeolocatewirelessaccesspoint*(noBSSIDonWin8+)BrowserSearchTermsDescriptionRecordswebsitesvisitedbydateandtime.
Detailsstoredforeachlocaluseraccount.
Recordsnumberoftimesvisited(frequency).
Alsotracksaccessoflocalsystemles.
Thiswillalsoincludethewebsitehistoryofsearchtermsinsearchengines.
LocationInternetExplorerIE6-7:%USERPROFILE%\LocalSettings\History\History.
IE5IE8-9:%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.
IE5IE10-11:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datFirefoxXP:%userprole%\ApplicationData\Mozilla\Firefox\Proles\.
default\places.
sqliteWin7/8/10:%userprole%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\places.
sqliteSystemResourceUsageMonitor(SRUM)DescriptionRecords30to60daysofhistoricalsystemperformance.
Applicationsrun,useraccountresponsibleforeach,andapplicationandbytessent/receivedperapplicationperhour.
LocationSOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions{973F5D5C-1D90-4944-BE8E-24B94231A174}=WindowsNetworkDataUsageMonitor{DD6636C4-8929-4683-974E-22C046A43763}=WindowsNetworkConnectivityUsageMonitorSOFTWARE\Microsoft\WlanSvc\Interfaces\C:\Windows\System32\SRU\InterpretationUsetoolsuchassrum_dump.
exetocrosscorrelatethedatabetweentheregistrykeysandtheSRUMESEDatabase.
NetworkActivity/PhysicalLocationOpen/SaveMRUDescriptionInthesimplestterms,thiskeytrackslesthathavebeenopenedorsavedwithinaWindowsshelldialogbox.
Thishappenstobeabigdataset,notonlyincludingwebbrowserslikeInternetExplorerandFirefox,butalsoamajorityofcommonlyusedapplications.
LocationXP:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRUWin7/8/10:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRUInterpretationThe"*"key–ThissubkeytracksthemostrecentlesofanyextensioninputinanOpenSavedialog.
(Threeletterextension)–ThissubkeystoresleinfofromtheOpenSavedialogbyspecicextensionRecentFilesDescriptionRegistryKeythatwilltrackthelastlesandfoldersopenedandisusedtopopulatedatain"Recent"menusoftheStartmenu.
LocationNTUSER.
DAT:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocsInterpretationRecentDocs–Overallkeywilltracktheoverallorderofthelast150lesorfoldersopened.
MRUlistwillkeeptrackofthetemporalorderinwhicheachle/folderwasopened.
Thelastentryandmodicationtimeofthiskeywillbethetimeandlocationthelastleofaspecicextensionwasopened.
Thissubkeystoresthelastleswithaspecicextensionthatwereopened.
MRUlistwillkeeptrackofthetemporalorderinwhicheachlewasopened.
Thelastentryandmodicationtimeofthiskeywillbethetimewhenandlocationwherethelastleofaspecicextensionwasopened.
Folder–Thissubkeystoresthelastfoldersthatwereopened.
MRUlistwillkeeptrackofthetemporalorderinwhicheachfolderwasopened.
Thelastentryandmodicationtimeofthiskeywillbethetimeandlocationofthelastfolderopened.
JumpListsDescriptionTheWindows7taskbar(JumpList)isengineeredtoallowusersto"jump"oraccessitemshavefrequentlyorrecentlyusedquicklyandeasily.
Thisfunctionalitycannotonlyincluderecentmediales;itmustalsoincluderecenttasks.
ThedatastoredintheAutomaticDestinationsfolderwilleachhaveauniqueleprependedwiththeAppIDoftheassociationapplicationandembeddedwithLNKlesineachstream.
LocationWin7/8/10:C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinationsInterpretationUsingtheStructuredStorageViewer,openuponeoftheAutomaticDestinationjumplistles.
EachoneoftheselesisaseparateLNKle.
Theyarealsostorednumericallyinorderfromtheearliestone(usually1)tothemostrecent(largestintegervalue).
ShellBagsDescriptionWhichfolderswereaccessedonthelocalmachine,thenetwork,and/orremovabledevices.
Evidenceofpreviouslyexistingfoldersafterdeletion/overwrite.
Whencertainfolderswereaccessed.
LocationExplorerAccess:USRCLASS.
DAT\LocalSettings\Software\Microsoft\Windows\Shell\BagsUSRCLASS.
DAT\LocalSettings\Software\Microsoft\Windows\Shell\BagMRUDesktopAccess:NTUSER.
DAT\Software\Microsoft\Windows\Shell\BagMRUNTUSER.
DAT\Software\Microsoft\Windows\Shell\BagsInterpretationStoresinformationaboutwhichfoldersweremostrecentlybrowsedbytheuser.
Shortcut(LNK)FilesDescriptionShortcutFilesautomaticallycreatedbyWindows-RecentItems-Openinglocalandremotedatalesanddocumentswillgenerateashortcutle(.
lnk)LocationXP:C:\%USERPROFILE%\RecentWin7/8/10:C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\C:\%USERPROFILE%\AppData\Roaming\Microsoft\Oce\Recent\NotetheseareprimarylocationsofLNKles.
Theycanalsobefoundinotherlocations.
InterpretationDate/Timeleofthatnamewasrstopened-CreationDateofShortcut(LNK)FileDate/Timeleofthatnamewaslastopened-LastModicationDateofShortcut(LNK)FileLNKTargetFile(InternalLNKFileInformation)Data:-Modied,Access,andCreationtimesofthetargetle-VolumeInformation(Name,Type,SerialNumber)-NetworkShareinformation-OriginalLocation-NameofSystemPrefetchDescriptionIncreasesperformanceofasystembypre-loadingcodepagesofcommonlyusedapplications.
CacheManagermonitorsalllesanddirectoriesreferencedforeachapplicationorprocessandmapsthemintoa.
pfle.
Utilizedtoknowanapplicationwasexecutedonasystem.
Limitedto128lesonXPandWin7Limitedto1024lesonWin8-10(exename)-(hash).
pfLocationWinXP/7/8/10:C:\Windows\PrefetchInterpretationCanexamineeach.
pfletolookforlehandlesrecentlyusedCanexamineeach.
pfletolookfordevicehandlesrecentlyusedLast-VisitedMRUDescriptionTracksthespecicexecutableusedbyanapplicationtoopenthelesdocumentedintheOpenSaveMRUkey.
Inaddition,eachvaluealsotracksthedirectorylocationforthelastlethatwasaccessedbythatapplication.
Example:Notepad.
exewaslastrunusingtheC:\Users\Rob\DesktopfolderLocationXP:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRUWin7/8/10:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRUInterpretationTrackstheapplicationexecutablesusedtoopenlesinOpenSaveMRUandthelastlepathused.
IE|Edgele://DescriptionAlittleknownfactabouttheIEHistoryisthattheinformationstoredinthehistorylesisnotjustrelatedtoInternetbrowsing.
Thehistoryalsorecordslocal,removable,andremote(vianetworkshares)leaccess,givingusanexcellentmeansfordeterminingwhichlesandapplicationswereaccessedonthesystem,daybyday.
LocationInternetExplorer:IE6-7:%USERPROFILE%\LocalSettings\History\History.
IE5IE8-9:%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.
IE5IE10-11:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datInterpretationStoredinindex.
datas:le:///C:/directory/lename.
extDoesnotmeanlewasopenedinbrowserOfceRecentFilesDescriptionMSOfceprogramswilltracktheirownRecentFileslisttomakeiteasierforuserstorememberthelastletheywereediting.
LocationNTUSER.
DAT\Software\Microsoft\Oce\VERSION14.
0=Ofce201011.
0=Ofce200312.
0=Ofce200710.
0=OfceXPNTUSER.
DAT\Software\Microsoft\Oce\VERSION\UserMRU\LiveID_####\FileMRU15.
0=Ofce365InterpretationSimilartotheRecentFiles,thiswilltrackthelastlesthatwereopenedbyeachMSOfceapplication.
Thelastentryadded,pertheMRU,willbethetimethelastlewasopenedbyaspecicMSOfceapplication.
File/FolderOpeningBrowserUsageLastLoginDescriptionListsthelocalaccountsofthesystemandtheirequivalentsecurityidentiers.
LocationC:\windows\system32\cong\SAMSAM\Domains\Account\UsersInterpretationOnlythelastlogintimewillbestoredintheregistrykeyLastPasswordChangeDescriptionListsthelasttimethepasswordofaspeciclocaluserhasbeenchanged.
LocationC:\windows\system32\cong\SAMSAM\Domains\Account\UsersInterpretationOnlythelastpasswordchangetimewillbestoredintheregistrykeyRDPUsageDescriptionTrackRemoteDesktopProtocollogonstotargetmachines.
LocationSecurityLogWin7/8/10:%SYSTEMROOT%\System32\winevt\logs\Security.
evtxInterpretationWin7/8/10–Interpretation-EventID4778–SessionConnected/Reconnected-EventID4779–SessionDisconnectedEventlogprovideshostnameandIPaddressofremotemachinemakingtheconnectionOnworkstationsyouwilloftenseecurrentconsolesessiondisconnected(4779)followedbyRDPconnection(4778)ServicesEventsDescriptionAnalyzelogsforsuspiciousservicesrunningatboottimeReviewservicesstartedorstoppedaroundthetimeofasuspectedcompromiseLocationAllEventIDsreferencetheSystemLog7034–Servicecrashedunexpectedly7035–ServicesentaStart/Stopcontrol7036–Servicestartedorstopped7040–Starttypechanged(Boot|OnRequest|Disabled)7045–Aservicewasinstalledonthesystem(Win2008R2+)4697–Aservicewasinstalledonthesystem(fromSecuritylog)InterpretationAllEventIDsexcept4697referencetheSystemLogAlargeamountofmalwareandwormsinthewildutilizeServicesServicesstartedonbootillustratepersistence(desirableinmalware)ServicescancrashduetoattackslikeprocessinjectionLogonTypesDescriptionLogonEventscangiveusveryspecicinformationregardingthenatureofaccountauthorizationsonasystemifweknowwheretolookandhowtodecipherthedatathatwend.
Inadditiontotellingusthedate,time,username,hostname,andsuccess/failurestatusofalogon,LogonEventsalsoenablesustodeterminebyexactlywhatmeansalogonwasattempted.
LocationWin7/8/10:EventID4624InterpretationLogonTypeExplanation2Logonviaconsole3NetworkLogon4BatchLogon5WindowsServiceLogon7Credentialsusedtounlockscreen8Networklogonsendingcredentials(cleartext)9Differentcredentialsusedthanloggedonuser10Remoteinteractivelogon(RDP)11Cachedcredentialsusedtologon12Cachedremoteinteractive(similartoType10)13Cachedunlock(similartoType7)AuthenticationEventsDescriptionAuthenticationmechanismsLocationRecordedonsystemthatauthenticatedcredentialsLocalAccount/Workgroup=onworkstationDomain/ActiveDirectory=ondomaincontrollerWin7/8/10:%SYSTEMROOT%\System32\winevt\logs\Security.
evtxInterpretationEventIDCodes(NTLMprotocol)4776:Successful/FailedaccountauthenticationEventIDCodes(Kerberosprotocol)4768:TicketGrantingTicketwasgranted(successfullogon)4769:ServiceTicketrequested(accesstoserverresource)4771:Pre-authenticationfailed(failedlogon)Success/FailLogonsDescriptionDeterminewhichaccountshavebeenusedforattemptedlogons.
Trackaccountusageforknowncompromisedaccounts.
LocationWin7/8/10:%systemroot%\System32\winevt\logs\Security.
evtxInterpretationWin7/8/10–Interpretation4624–SuccessfulLogon4625–FailedLogon4634|4647–SuccessfulLogoff4648–Logonusingexplicitcredentials(Runas)4672–Accountlogonwithsuperuserrights(Administrator)4720–AnaccountwascreatedAccountUsageKeyIdenticationDescriptionTrackUSBdevicespluggedintoamachine.
LocationSYSTEM\CurrentControlSet\Enum\USBSTORSYSTEM\CurrentControlSet\Enum\USBInterpretationIdentifyvendor,product,andversionofaUSBdevicepluggedintoamachineIdentifyauniqueUSBdevicepluggedintothemachineDeterminethetimeadevicewaspluggedintothemachineDevicesthatdonothaveauniqueserialnumberwillhavean"&"inthesecondcharacteroftheserialnumber.
First/LastTimesDescriptionDeterminetemporalusageofspecicUSBdevicesconnectedtoaWindowsMachine.
LocationFirstTimePlugandPlayLogFilesXP:C:\Windows\setupapi.
logWin7/8/10:C:\Windows\inf\setupapi.
dev.
logInterpretationSearchforDeviceSerialNumberLogFiletimesaresettolocaltimezoneLocationFirst,Last,andRemovalTimes(Win7/8/10Only)SystemHive:\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\####0064=FirstInstall(Win7-10)0066=LastConnected(Win8-10)0067=LastRemoval(Win8-10)UserDescriptionFindUserthatusedtheUniqueUSBDevice.
LocationLookforGUIDfromSYSTEM\MountedDevicesNTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2InterpretationThisGUIDwillbeusednexttoidentifytheuserthatpluggedinthedevice.
Thelastwritetimeofthiskeyalsocorrespondstothelasttimethedevicewaspluggedintothemachinebythatuser.
Thenumberwillbereferencedintheuser'spersonalmountpointskeyintheNTUSER.
DATHive.
ExternalDevice/USBUsageHistoryDescriptionRecordswebsitesvisitedbydateandtime.
Detailsstoredforeachlocaluseraccount.
Recordsnumberoftimesvisited(frequency).
Alsotracksaccessoflocalsystemles.
LocationInternetExplorerIE6-7:%USERPROFILE%\LocalSettings\History\History.
IE5IE8-9:%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.
IE5IE10,11,Edge:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datFirefoxXP:%USERPROFILE%\ApplicationData\Mozilla\Firefox\Proles\.
default\places.
sqliteWin7/8/10:%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\places.
sqliteChromeXP:%USERPROFILE%\LocalSettings\ApplicationData\Google\Chrome\UserData\Default\HistoryWin7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\HistoryCookiesDescriptionCookiesgiveinsightintowhatwebsiteshavebeenvisitedandwhatactivitiesmayhavetakenplacethere.
LocationInternetExplorerIE8-9:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\CookiesIE10:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\CookiesIE11:%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookiesEdge:%USERPROFILE%\AppData\Local\Packages\microsoft.
microsoftedge_\AC\MicrosoftEdge\CookiesFirefoxXP:%USERPROFILE%\ApplicationData\Mozilla\Firefox\Proles\.
default\cookies.
sqliteWin7/8/10:%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\cookies.
sqliteChromeXP:%USERPROFILE%\LocalSettings\ApplicationData\Google\Chrome\UserData\Default\LocalStorage\Win7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\LocalStorage\CacheDescriptionThecacheiswherewebpagecomponentscanbestoredlocallytospeedupsubsequentvisitsGivestheinvestigatora"snapshotintime"ofwhatauserwaslookingatonline-Identieswebsiteswhichwerevisited-Providestheactuallestheuserviewedonagivenwebsite-Cachedlesaretiedtoaspeciclocaluseraccount-TimestampsshowwhenthesitewasrstsavedandlastviewedLocationInternetExplorerIE8-9:%USERPROFILE%\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.
IE5IE10:%USERPROFILE%\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.
IE5IE11:%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\IEEdge:%USERPROFILE%\AppData\Local\Packages\microsoft.
microsoftedge_\AC\MicrosoftEdge\CacheFirefoxXP:%USERPROFILE%\LocalSettings\ApplicationData\Mozilla\Firefox\Proles\.
default\CacheWin7/8/10:%USERPROFILE%\AppData\Local\Mozilla\Firefox\Proles\.
default\CacheChromeXP:%USERPROFILE%\LocalSettings\ApplicationData\Google\Chrome\UserData\Default\Cache-data_#andf_######Win7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\Cache\-data_#andf_######Flash&SuperCookiesDescriptionLocalStoredObjects(LSOs),orFlashCookies,havebecomeubiquitousonmostsystemsduetotheextremelyhighpenetrationofFlashapplicationsacrosstheInternet.
Theytendtobemuchmorepersistentbecausetheydonotexpire,andthereisnobuilt-inmechanismwithinthebrowsertoremovethem.
Infact,manysiteshavebegunusingLSOsfortheirtrackingmechanismsbecausetheyrarelygetclearedliketraditionalcookies.
LocationWin7/8/10:%APPDATA%\Roaming\Macromedia\FlashPlayer\#SharedObjects\InterpretationWebsitesvisitedUseraccountusedtovisitthesiteWhencookiewascreatedandlastaccessedSessionRestoreDescriptionAutomaticCrashRecoveryfeaturesbuiltintothebrowser.
LocationInternetExplorerWin7/8/10:%USERPROFILE%/AppData/Local/Microsoft/InternetExplorer/RecoveryFirefoxWin7/8/10:%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\sessionstore.
jsChromeWin7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\Files=CurrentSession,CurrentTabs,LastSession,LastTabsInterpretationHistoricalwebsitesviewedineachtabReferringwebsitesTimesessionendedModiedtimeof.
datlesinLastActivefolderTimeeachtabopened(onlywhencrashoccurred)Creationtimeof.
datlesinActivefolderGoogleAnalyticsCookiesDescriptionGoogleAnalytics(GA)hasdevelopedanextremelysophisticatedmethodologyfortrackingsitevisits,useractivity,andpaidsearch.
SinceGAislargelyfree,ithasacommandingshareofthemarket,estimatedatover80%ofsitesusingtrafcanalysisandover50%ofallsites.
__utma–UniquevisitorsDomainHashVisitorIDCookieCreationTimeTimeof2ndmostrecentvisitTimeofmostrecentvisitNumberofvisits__utmb–SessiontrackingDomainhashPageviewsincurrentsessionOutboundlinkclicksTimecurrentsessionstarted__utmz–TrafcsourcesDomainHashLastUpdatetimeNumberofvisitsNumberofdifferenttypesofvisitsSourceusedtoaccesssiteGoogleAdwordscampaignnameAccessMethod(organic,referral,cpc,email,direct)Keywordusedtondsite(non-SSLonly)PnPEventsDescriptionWhenaPlugandPlaydriverinstallisattempted,theservicewillloganID20001eventandprovideaStatuswithintheevent.
ItisimportanttonotethatthiseventwilltriggerforanyPlugandPlay-capabledevice,includingbutnotlimitedtoUSB,Firewire,andPCMCIAdevices.
LocationSystemLogFileWin7/8/10:%systemroot%\System32\winevt\logs\System.
evtxInterpretationEventID:20001–PlugandPlaydriverinstallattemptedEventID20001TimestampDeviceinformationDeviceserialnumberStatus(0=noerrors)VolumeSerialNumberDescriptionDiscovertheVolumeSerialNumberoftheFilesystemPartitionontheUSB.
(NOTE:ThisisnottheUSBUniqueSerialNumber,whichishardcodedintothedevicermware.
)LocationSOFTWARE\Microsoft\WindowsNT\CurrentVersion\ENDMgmtUseVolumeNameandUSBUniqueSerialNumberto:-Findlastintegernumberinline-ConvertDecimalSerialNumberintoHexSerialNumberInterpretationKnowingboththeVolumeSerialNumberandtheVolumeName,youcancorrelatethedataacrossSHORTCUTFile(LNK)analysisandtheRECENTDOCskey.
TheShortcutFile(LNK)containstheVolumeSerialNumberandNameRecentDocsRegistryKey,inmostcases,willcontainthevolumenamewhentheUSBdeviceisopenedviaExplorerDriveLetterandVolumeNameDescriptionDiscoverthelastdriveletteroftheUSBDevicewhenitwaspluggedintothemachine.
LocationXP:FindParentIdPrex–SYSTEM\CurrentControlSet\Enum\USBSTORUsingParentIdPrexDiscoverLastMountPoint–SYSTEM\MountedDevicesWin7/8/10:SOFTWARE\Microsoft\WindowsPortableDevices\DevicesSYSTEM\MountedDevices-ExamineDriveLetterslookingatValueDataLookingforSerialNumberInterpretationIdentifytheUSBdevicethatwaslastmappedtoaspecicdriveletter.
Thistechniquewillonlyworkforthelastdrivemapped.
Itdoesnotcontainhistoricalrecordsofeverydrivelettermappedtoaremovabledrive.
Shortcut(LNK)FilesDescriptionShortcutlesautomaticallycreatedbyWindowsRecentItemsOpenlocalandremotedatalesanddocumentswillgenerateashortcutle(.
lnk)LocationXP:%USERPROFILE%\RecentWin7/8/10%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent%USERPROFILE%\AppData\Roaming\Microsoft\Oce\RecentInterpretationDate/Timeleofthatnamewasrstopened-CreationDateofShortcut(LNK)FileDate/Timeleofthatnamewaslastopened-LastModicationDateofShortcut(LNK)FileLNKTargetFile(InternalLNKFileInformation)Data:-Modied,Access,andCreationtimesofthetargetle-VolumeInformation(Name,Type,SerialNumber)-NetworkShareinformation-OriginalLocation-NameofSystem
sans.
org$25.
00DFPS_FOR500_v4.
11_0121PosterCreatedbyRobLeewithsupportoftheSANSDFIRFaculty2021RobLee.
AllRightsReserved.
Modied–NoChangeCreation–NoChangeAccess–NoChangeMetadata–TimeofFileRenameFileRenameModied–NoChangeCreation–NoChangeAccess–NoChangeMetadata–NoChangeFileRenameModied–NoChangeCreation–NoChangeAccess–NoChangeMetadata–TimeofLocalFileMoveLocalFileMoveModied–NoChangeCreation–NoChangeAccess–NoChangeMetadata–NoChangeLocalFileMoveModied–InheritedfromOriginalMetadata–InheritedfromOriginalAccess–TimeofFileMoveviaCLICreation–TimeofFileMoveviaCLIVolumeFileMove(moveviaCLI)Modied–TimeofMoveviaCLIAccess–TimeofMoveviaCLIMetadata–TimeofMoveviaCLICreation–TimeofMoveviaCLIVolumeFileMove(moveviaCLI)Modied–InheritedfromOriginalMetadata–InheritedfromOriginalCreation–InheritedfromOriginalAccess–TimeofCut/PasteVolumeFileMove(cut/pasteviaExplorer)Access–TimeofCut/PasteCreation–TimeofCut/PasteModied–TimeofCut/PasteMetadata–TimeofCut/PasteVolumeFileMove(cut/pasteviaExplorer)Modied–InheritedfromOriginalAccess–TimeofFileCopyCreation–TimeofFileCopyMetadata–TimeofFileCopyFileCopyAccess–TimeofFileCopyCreation–TimeofFileCopyModied–TimeofFileCopyMetadata–TimeofFileCopyFileCopyModied–NoChangeMetadata–NoChangeAccess–TimeofAccess(NoChangeonNTFSVolumes>128GB)Creation–NoChangeFileAccessModied–NoChangeMetadata–NoChangeCreation–NoChangeAccess–NoChangeFileAccessModied–TimeofDataModicationMetadata–TimeofDataModicationCreation–NoChangeFileModicationAccess–NoChangeCreation–NoChangeModied–NoChangeMetadata–NoChangeFileModicationAccess–TimeofFileCreationAccess–TimeofDataModicationMetadata–TimeofFileCreationCreation–TimeofFileCreationModied–TimeofFileCreationFileCreationAccess–TimeofFileCreationMetadata–TimeofFileCreationCreation–TimeofFileCreationModied–TimeofFileCreationFileCreationModied–NoChangeMetadata–NoChangeAccess–NoChangeCreation–NoChangeFileDeletionModied–NoChangeMetadata–NoChangeAccess–NoChangeCreation–NoChangeFileDeletionWindowsArtifactAnalysis:Evidenceof.
.
.
UserAssistDescriptionGUI-basedprogramslaunchedfromthedesktoparetrackedinthelauncheronaWindowsSystem.
LocationNTUSER.
DATHIVE:NTUSER.
DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\CountInterpretationAllvaluesareROT-13EncodedGUIDforXP-75048700ActiveDesktopGUIDforWin7/8/10-CEBFF5CDExecutableFileExecution-F4E57C4BShortcutFileExecutionWindows10TimelineDescriptionWin10recordsrecentlyusedapplicationsandlesina"timeline"accessibleviathe"WIN+TAB"key.
ThedataisrecordedinaSQLitedatabase.
LocationC:\Users\\AppData\Local\ConnectedDevicesPlatform\\ActivitiesCache.
dbInterpretationApplicationexecutionFocuscountperapplicationBAM/DAMDescriptionWindowsBackgroundActivityModerator(BAM)LocationWin10:SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}InvestigativeNotesProvidesfullpathoftheexecutablelethatwasrunonthesystemandlastexecutiondate/timeShimcacheDescriptionWindowsApplicationCompatibilityDatabaseisusedbyWindowstoidentifypossibleapplicationcompatibilitychallengeswithexecutables.
Trackstheexecutableslename,lesize,lastmodiedtime,andinWindowsXPthelastupdatetimeLocationXP:SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibilityWin7/8/10:SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCacheInterpretationAnyexecutablerunontheWindowssystemcouldbefoundinthiskey.
Youcanusethiskeytoidentifysystemsthatspecicmalwarewasexecutedon.
Inaddition,basedontheinterpretationofthetime-baseddatayoumightbeabletodeterminethelasttimeofexecutionoractivityonthesystem.
WindowsXPcontainsatmost96entries-LastUpdateTimeisupdatedwhenthelesareexecutedWindows7containsatmost1,024entries-LastUpdateTimedoesnotexistonWin7systemsAmcache.
hveDescriptionProgramDataUpdater(ataskassociatedwiththeApplicationExperienceService)usestheregistryleAmcache.
hvetostoredataduringprocesscreationLocationWin7/8/10:C:\Windows\AppCompat\Programs\Amcache.
hveInterpretationAmcache.
hve–Keys=Amcache.
hve\Root\File\{VolumeGUID}Entryforeveryexecutablerun,fullpathinformation,File's$StandardInfoLastModicationTime,andDiskvolumetheexecutablewasrunfromFirstRunTime=LastModicationTimeofKeySHA1hashofexecutablealsocontainedinthekeySystemResourceUsageMonitor(SRUM)DescriptionRecords30to60daysofhistoricalsystemperformance.
Applicationsrun,useraccountresponsibleforeach,andapplicationandbytessent/receivedperapplicationperhour.
LocationSOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions{d10ca2fe-6fcf-4f6d-848e-b2e99266fa89}=ApplicationResourceUsageProviderC:\Windows\System32\SRU\InterpretationUsetoolsuchassrum_dump.
exetocrosscorrelatethedatabetweentheregistrykeysandtheSRUMESEDatabase.
JumpListsDescriptionTheWindows7taskbar(JumpList)isengineeredtoallowusersto"jump"oraccessitemstheyhavefrequentlyorrecentlyusedquicklyandeasily.
Thisfunctionalitycannotonlyincluderecentmediales;itmustalsoincluderecenttasks.
ThedatastoredintheAutomaticDestinationsfolderwilleachhaveauniqueleprependedwiththeAppIDoftheassociatedapplication.
LocationWin7/8/10:C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinationsInterpretationFirsttimeofexecutionofapplication.
-CreationTime=FirsttimeitemaddedtotheAppIDle.
Lasttimeofexecutionofapplicationw/leopen.
-ModicationTime=LasttimeitemaddedtotheAppIDle.
ListofJumpListIDs->https://dr.
to/EZJumpListLast-VisitedMRUDescriptionTracksthespecicexecutableusedbyanapplicationtoopenthelesdocumentedintheOpenSaveMRUkey.
Inaddition,eachvaluealsotracksthedirectorylocationforthelastlethatwasaccessedbythatapplication.
Example:Notepad.
exewaslastrunusingtheC:\%USERPROFILE%\DesktopfolderLocationXP:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRUWin7/8/10:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRUInterpretationTrackstheapplicationexecutablesusedtoopenlesinOpenSaveMRUandthelastlepathused.
PrefetchDescriptionIncreasesperformanceofasystembypre-loadingcodepagesofcommonlyusedapplications.
CacheManagermonitorsalllesanddirectoriesreferencedforeachapplicationorprocessandmapsthemintoa.
pfle.
Utilizedtoknowanapplicationwasexecutedonasystem.
Limitedto128lesonXPandWin7Limitedto1024lesonWin8(exename)-(hash).
pfLocationWinXP/7/8/10:C:\Windows\PrefetchInterpretationEach.
pfwillincludelasttimeofexecution,numberoftimesrun,anddeviceandlehandlesusedbytheprogramDate/Timelebythatnameandpathwasrstexecuted-CreationDateof.
pfle(-10seconds)Date/Timelebythatnameandpathwaslastexecuted-Embeddedlastexecutiontimeof.
pfle-Lastmodicationdateof.
pfle(-10seconds)-Win8-10willcontainlast8timesofexecutionProgramExecutionXPSearch–ACMRUDescriptionYoucansearchforawiderangeofinformationthroughthesearchassistantonaWindowsXPmachine.
Thesearchassistantwillrememberauser'ssearchtermsforlenames,computers,orwordsthatareinsideale.
Thisisanexampleofwhereyoucanndthe"SearchHistory"ontheWindowssystem.
LocationNTUSER.
DATHIVENTUSER.
DAT\Software\Microsoft\SearchAssistant\ACMru\####InterpretationSearchtheInternet–####=5001Allorpartofadocumentname–####=5603Awordorphraseinale–####=5604Printers,ComputersandPeople–####=5647ThumbcacheDescriptionThumbnailsofpictures,ofcedocuments,andfoldersexistinadatabasecalledthethumbcache.
Eachuserwillhavetheirowndatabasebasedonthethumbnailsizesviewedbytheuser(small,medium,large,andextra-larger)LocationC:\%USERPROFILE%\AppData\Local\Microsoft\Windows\ExplorerInterpretationThesearecreatedwhenauserswitchesafoldertothumbnailmodeorviewspicturesviaaslideshow.
Asitwere,ourthumbsarenowstoredinseparatedatabaseles.
Win7+has4sizesforthumbnailsandthelesinthecachefolderreectthis:-32->small-96->medium-256->large-1024->extralargeThethumbcachewillstorethethumbnailcopyofthepicturebasedonthethumbnailsizeinthecontentoftheequivalentdatabasele.
Thumbs.
dbDescriptionHiddenleindirectorywhereimagesonmachineexiststoredinasmallerthumbnailgraphics.
thumbs.
dbcatalogspicturesinafolderandstoresacopyofthethumbnailevenifthepicturesweredeleted.
LocationWinXP/Win8|8.
1AutomaticallycreatedanywherewithhomegroupenabledWin7/8/10AutomaticallycreatedanywhereandaccessedviaaUNCPath(localorremote)InterpretationInclude:ThumbnailPictureofOriginalPictureDocumentThumbnail–EvenifDeletedLastModicationTime(XPOnly)OriginalFilename(XPOnly)IE|Edgele://DescriptionAlittle-knownfactabouttheIEHistoryisthattheinformationstoredinthehistorylesisnotjustrelatedtoInternetbrowsing.
Thehistoryalsorecordslocalandremote(vianetworkshares)leaccess,givingusanexcellentmeansfordeterminingwhichlesandapplicationswereaccessedonthesystem,daybyday.
LocationInternetExplorer:IE6-7%USERPROFILE%\LocalSettings\History\History.
IE5IE8-9%USERPROFILE%\AppData\Local\Microsoft\WindowsHistory\History.
IE5IE10-11%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datInterpretationStoredinindex.
datas:file:///C:/directory/lename.
extDoesnotmeanlewasopenedinbrowserSearch–WordWheelQueryDescriptionKeywordssearchedforfromtheSTARTmenubaronaWindows7machine.
LocationWin7/8/10NTUSER.
DATHiveNTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQueryInterpretationKeywordsareaddedinUnicodeandlistedintemporalorderinanMRUlistWin7/8/10RecycleBinDescriptionTherecyclebinisaveryimportantlocationonaWindowslesystemtounderstand.
Itcanhelpyouwhenaccomplishingaforensicinvestigation,aseverylethatisdeletedfromaWindowsrecyclebinawareprogramisgenerallyrstputintherecyclebin.
LocationHiddenSystemFolderWin7/8/10C:\$Recycle.
binDeletedTimeandOriginalFilenamecontainedinseparatelesforeachdeletedrecoveryleInterpretationSIDcanbemappedtouserviaRegistryAnalysisWin7/8/10-FilesPrecededby$I######lescontainOriginalPATHandnameDeletionDate/Time-FilesPrecededby$R######lescontainRecoveryDataLast-VisitedMRUDescriptionTracksthespecicexecutableusedbyanapplicationtoopenthelesdocumentedintheOpenSaveMRUkey.
Inaddition,eachvaluealsotracksthedirectorylocationforthelastlethatwasaccessedbythatapplication.
LocationXPNTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRUWin7/8/10NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRUInterpretationTrackstheapplicationexecutablesusedtoopenlesinOpenSaveMRUandthelastlepathused.
XPRecycleBinDescriptionTherecyclebinisaveryimportantlocationonaWindowslesystemtounderstand.
Itcanhelpyouwhenaccomplishingaforensicinvestigation,aseverylethatisdeletedfromaWindowsrecyclebinawareprogramisgenerallyrstputintherecyclebin.
LocationHiddenSystemFolderWindowsXPC:\RECYCLER"2000/NT/XP/2003Subfolderiscreatedwithuser'sSIDHiddenleindirectorycalled"INFO2"INFO2ContainsDeletedTimeandOriginalFilenameFilenameinbothASCIIandUNICODEInterpretationSIDcanbemappedtouserviaRegistryAnalysisMapslenametotheactualnameandpathitwasdeletedfromDeletedFileorFileKnowledgeOpen/SaveMRUDescriptionInthesimplestterms,thiskeytrackslesthathavebeenopenedorsavedwithinaWindowsshelldialogbox.
Thishappenstobeabigdataset,notonlyincludingwebbrowserslikeInternetExplorerandFirefox,butalsoamajorityofcommonlyusedapplications.
LocationXP:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRUWin7/8/10:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRUInterpretationThe"*"key–ThissubkeytracksthemostrecentlesofanyextensioninputinanOpenSavedialog.
(Threeletterextension)–ThissubkeystoresleinfofromtheOpenSavedialogbyspecicextensionEmailAttachmentsDescriptionTheemailindustryestimatesthat80%ofemaildataisstoredviaattachments.
Emailstandardsonlyallowtext.
AttachmentsmustbeencodedwithMIME/base64format.
LocationOutlookXP:%USERPROFILE%\LocalSettings\ApplicationData\Microsoft\OutlookWin7/8/10:%USERPROFILE%\AppData\Local\Microsoft\OutlookInterpretationMSOutlookdatalesfoundintheselocationsincludeOSTandPSTles.
OneshouldalsochecktheOLKandContent.
Outlookfolder,whichmightroamdependingonthespecicversionofOutlookused.
FormoreinformationonwheretondtheOLKfolderthislinkhasahandychart:http://www.
hancockcomputertech.
com/blog/2010/01/06/nd-the-microsoft-outlook-temporary-olk-folderSkypeHistoryDescriptionSkypehistorykeepsalogofchatsessionsandlestransferredfromonemachinetoanotherThisisturnedonbydefaultinSkypeinstallationsLocationXP:C:\DocumentsandSettings\\Application\Skype\Win7/8/10:C:\%USERPROFILE%\AppData\Roaming\Skype\InterpretationEachentrywillhaveadate/timevalueandaSkypeusernameassociatedwiththeaction.
BrowserArtifactsDescriptionNotdirectlyrelatedto"FileDownload".
Detailsstoredforeachlocaluseraccount.
Recordsnumberoftimesvisited(frequency).
LocationInternetExplorerIE8-9:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\index.
datIE10-11:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datFirefoxv3-25:%userprole%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\downloads.
sqlitev26+:%userprole%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\places.
sqliteTable:moz_annosChrome:Win7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\HistoryInterpretationManysitesinhistorywilllistthelesthatwereopenedfromremotesitesanddownloadedtothelocalsystem.
Historywillrecordtheaccesstotheleonthewebsitethatwasaccessedviaalink.
DownloadsDescriptionFirefoxandIEhasabuilt-indownloadmanagerapplicationwhichkeepsahistoryofeveryledownloadedbytheuser.
Thisbrowserartifactcanprovideexcellentinformationaboutwhatsitesauserhasbeenvisitingandwhatkindsoflestheyhavebeendownloadingfromthem.
LocationFirefox:XP:%userprole%\ApplicationData\Mozilla\Firefox\Proles\.
default\downloads.
sqliteWin7/8/10:%userprole%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\downloads.
sqliteInternetExplorer:IE8-9:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\IE10-11:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datInterpretationDownloadswillinclude:Filename,Size,andTypeDownloadfromandReferringPageFileSaveLocationApplicationUsedtoOpenFileDownloadStartandEndTimesADSZone.
IdentiferDescriptionStartingwithXPSP2whenlesaredownloadedfromthe"InternetZone"viaabrowsertoaNTFSvolume,analternatedatastreamisaddedtothele.
Thealternatedatastreamisnamed"Zone.
Identier.
"InterpretationFileswithanADSZone.
IdentierandcontainsZoneID=3weredownloadedfromtheInternetURLZONE_TRUSTED=ZoneID=2URLZONE_INTERNET=ZoneID=3URLZONE_UNTRUSTED=ZoneID=4FileDownloadThe"Evidenceof.
.
.
"categorieswereoriginallycreatedbySANSDigitalForensicsandIncidenceResponsefacultyfortheSANScourseFOR500:WindowsForensicAnalysis.
Thecategoriesmapaspecicartifacttotheanalysisquestionsthatitwillhelptoanswer.
Usethisposterasacheat-sheettohelpyourememberwhereyoucandiscoverkeyWindowsartifactsforcomputerintrusion,intellectualpropertytheft,andothercommoncybercrimeinvestigations.
SEC504HackerTools,Techniques,Exploits,andIncidentHandlingGCIHFOR508AdvancedIncidentResponse,ThreatHunting,andDigitalForensicsGCFAFOR572AdvancedNetworkForensics:ThreatHunting,Analysis,andIncidentResponseGNFAFOR578CyberThreatIntelligenceGCTIFOR610REM:MalwareAnalysisGREMFOR498BattleeldForensics&DataAcquisitionGBFAFOR308DigitalForensicsEssentialsFOR518MacandiOSForensicAnalysisandIncidentResponseFOR500WindowsForensicsGCFEFOR585SmartphoneForensicAnalysisIn-DepthGASFOPERATINGSYSTEM&DEVICEINDEPTHINCIDENTRESPONSE&THREATHUNTING11WindowsTimeRulesbasedoffoftestingonWindows10Releaseversion1903sansforensics@sansforensicsdr.
to/MAIL-LISTTimezoneDescriptionIdentiesthecurrentsystemtimezone.
LocationSYSTEMHive:SYSTEM\CurrentControlSet\Control\TimeZoneInformationInterpretationTimeactivityisincrediblyusefulforcorrelationofactivityInternalloglesanddate/timestampswillbebasedonthesystemtimezoneinformationYoumighthaveothernetworkdevicesandyouwillneedtocorrelateinformationtothetimezoneinformationcollectedhere.
CookiesDescriptionCookiesgiveinsightintowhatwebsiteshavebeenvisitedandwhatactivitiesmayhavetakenplacethere.
LocationInternetExplorerIE6-8:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\CookiesIE10:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\CookiesIE11:%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookiesFirefoxXP:%USERPROFILE%\ApplicationData\Mozilla\Firefox\Proles\.
default\cookies.
sqliteWin7/8/10:%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\cookies.
sqliteChromeXP:%USERPROFILE%\LocalSettings\ApplicationData\Google\Chrome\UserData\Default\LocalStorageWin7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\LocalStorageNetworkHistoryDescriptionIdentifynetworksthatthecomputerhasbeenconnectedtoNetworkscouldbewirelessorwiredIdentifydomainname/intranetnameIdentifySSIDIdentifyGatewayMACAddressLocationWin7/8/10SOFTWAREHIVE:SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Signatures\UnmanagedSOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Signatures\ManagedSOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Nla\CacheInterpretationIdentifyingintranetsandnetworksthatacomputerhasconnectedtoisincrediblyimportantNotonlycanyoudeterminetheintranetname,youcandeterminethelasttimethenetworkwasconnectedtoitbasedonthelastwritetimeofthekeyThiswillalsolistanynetworksthathavebeenconnectedtoviaaVPNMACAddressofSSIDforGatewaycouldbephysicallytriangulatedWLANEventLogDescriptionDeterminewhatwirelessnetworksthesystemassociatedwithandidentifynetworkcharacteristicstondlocationRelevantEventIDs11000–Wirelessnetworkassociationstarted8001–Successfulconnectiontowirelessnetwork8002–Failedconnectiontowirelessnetwork8003–Disconnectfromwirelessnetwork6100–Networkdiagnostics(Systemlog)LocationMicrosoft-Windows-WLAN-AutoCongOperational.
evtxInterpretationShowshistoricalrecordofwirelessnetworkconnectionsContainsSSIDandBSSID(MACaddress),whichcanbeusedtogeolocatewirelessaccesspoint*(noBSSIDonWin8+)BrowserSearchTermsDescriptionRecordswebsitesvisitedbydateandtime.
Detailsstoredforeachlocaluseraccount.
Recordsnumberoftimesvisited(frequency).
Alsotracksaccessoflocalsystemles.
Thiswillalsoincludethewebsitehistoryofsearchtermsinsearchengines.
LocationInternetExplorerIE6-7:%USERPROFILE%\LocalSettings\History\History.
IE5IE8-9:%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.
IE5IE10-11:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datFirefoxXP:%userprole%\ApplicationData\Mozilla\Firefox\Proles\.
default\places.
sqliteWin7/8/10:%userprole%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\places.
sqliteSystemResourceUsageMonitor(SRUM)DescriptionRecords30to60daysofhistoricalsystemperformance.
Applicationsrun,useraccountresponsibleforeach,andapplicationandbytessent/receivedperapplicationperhour.
LocationSOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions{973F5D5C-1D90-4944-BE8E-24B94231A174}=WindowsNetworkDataUsageMonitor{DD6636C4-8929-4683-974E-22C046A43763}=WindowsNetworkConnectivityUsageMonitorSOFTWARE\Microsoft\WlanSvc\Interfaces\C:\Windows\System32\SRU\InterpretationUsetoolsuchassrum_dump.
exetocrosscorrelatethedatabetweentheregistrykeysandtheSRUMESEDatabase.
NetworkActivity/PhysicalLocationOpen/SaveMRUDescriptionInthesimplestterms,thiskeytrackslesthathavebeenopenedorsavedwithinaWindowsshelldialogbox.
Thishappenstobeabigdataset,notonlyincludingwebbrowserslikeInternetExplorerandFirefox,butalsoamajorityofcommonlyusedapplications.
LocationXP:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRUWin7/8/10:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRUInterpretationThe"*"key–ThissubkeytracksthemostrecentlesofanyextensioninputinanOpenSavedialog.
(Threeletterextension)–ThissubkeystoresleinfofromtheOpenSavedialogbyspecicextensionRecentFilesDescriptionRegistryKeythatwilltrackthelastlesandfoldersopenedandisusedtopopulatedatain"Recent"menusoftheStartmenu.
LocationNTUSER.
DAT:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocsInterpretationRecentDocs–Overallkeywilltracktheoverallorderofthelast150lesorfoldersopened.
MRUlistwillkeeptrackofthetemporalorderinwhicheachle/folderwasopened.
Thelastentryandmodicationtimeofthiskeywillbethetimeandlocationthelastleofaspecicextensionwasopened.
Thissubkeystoresthelastleswithaspecicextensionthatwereopened.
MRUlistwillkeeptrackofthetemporalorderinwhicheachlewasopened.
Thelastentryandmodicationtimeofthiskeywillbethetimewhenandlocationwherethelastleofaspecicextensionwasopened.
Folder–Thissubkeystoresthelastfoldersthatwereopened.
MRUlistwillkeeptrackofthetemporalorderinwhicheachfolderwasopened.
Thelastentryandmodicationtimeofthiskeywillbethetimeandlocationofthelastfolderopened.
JumpListsDescriptionTheWindows7taskbar(JumpList)isengineeredtoallowusersto"jump"oraccessitemshavefrequentlyorrecentlyusedquicklyandeasily.
Thisfunctionalitycannotonlyincluderecentmediales;itmustalsoincluderecenttasks.
ThedatastoredintheAutomaticDestinationsfolderwilleachhaveauniqueleprependedwiththeAppIDoftheassociationapplicationandembeddedwithLNKlesineachstream.
LocationWin7/8/10:C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinationsInterpretationUsingtheStructuredStorageViewer,openuponeoftheAutomaticDestinationjumplistles.
EachoneoftheselesisaseparateLNKle.
Theyarealsostorednumericallyinorderfromtheearliestone(usually1)tothemostrecent(largestintegervalue).
ShellBagsDescriptionWhichfolderswereaccessedonthelocalmachine,thenetwork,and/orremovabledevices.
Evidenceofpreviouslyexistingfoldersafterdeletion/overwrite.
Whencertainfolderswereaccessed.
LocationExplorerAccess:USRCLASS.
DAT\LocalSettings\Software\Microsoft\Windows\Shell\BagsUSRCLASS.
DAT\LocalSettings\Software\Microsoft\Windows\Shell\BagMRUDesktopAccess:NTUSER.
DAT\Software\Microsoft\Windows\Shell\BagMRUNTUSER.
DAT\Software\Microsoft\Windows\Shell\BagsInterpretationStoresinformationaboutwhichfoldersweremostrecentlybrowsedbytheuser.
Shortcut(LNK)FilesDescriptionShortcutFilesautomaticallycreatedbyWindows-RecentItems-Openinglocalandremotedatalesanddocumentswillgenerateashortcutle(.
lnk)LocationXP:C:\%USERPROFILE%\RecentWin7/8/10:C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\C:\%USERPROFILE%\AppData\Roaming\Microsoft\Oce\Recent\NotetheseareprimarylocationsofLNKles.
Theycanalsobefoundinotherlocations.
InterpretationDate/Timeleofthatnamewasrstopened-CreationDateofShortcut(LNK)FileDate/Timeleofthatnamewaslastopened-LastModicationDateofShortcut(LNK)FileLNKTargetFile(InternalLNKFileInformation)Data:-Modied,Access,andCreationtimesofthetargetle-VolumeInformation(Name,Type,SerialNumber)-NetworkShareinformation-OriginalLocation-NameofSystemPrefetchDescriptionIncreasesperformanceofasystembypre-loadingcodepagesofcommonlyusedapplications.
CacheManagermonitorsalllesanddirectoriesreferencedforeachapplicationorprocessandmapsthemintoa.
pfle.
Utilizedtoknowanapplicationwasexecutedonasystem.
Limitedto128lesonXPandWin7Limitedto1024lesonWin8-10(exename)-(hash).
pfLocationWinXP/7/8/10:C:\Windows\PrefetchInterpretationCanexamineeach.
pfletolookforlehandlesrecentlyusedCanexamineeach.
pfletolookfordevicehandlesrecentlyusedLast-VisitedMRUDescriptionTracksthespecicexecutableusedbyanapplicationtoopenthelesdocumentedintheOpenSaveMRUkey.
Inaddition,eachvaluealsotracksthedirectorylocationforthelastlethatwasaccessedbythatapplication.
Example:Notepad.
exewaslastrunusingtheC:\Users\Rob\DesktopfolderLocationXP:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRUWin7/8/10:NTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRUInterpretationTrackstheapplicationexecutablesusedtoopenlesinOpenSaveMRUandthelastlepathused.
IE|Edgele://DescriptionAlittleknownfactabouttheIEHistoryisthattheinformationstoredinthehistorylesisnotjustrelatedtoInternetbrowsing.
Thehistoryalsorecordslocal,removable,andremote(vianetworkshares)leaccess,givingusanexcellentmeansfordeterminingwhichlesandapplicationswereaccessedonthesystem,daybyday.
LocationInternetExplorer:IE6-7:%USERPROFILE%\LocalSettings\History\History.
IE5IE8-9:%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.
IE5IE10-11:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datInterpretationStoredinindex.
datas:le:///C:/directory/lename.
extDoesnotmeanlewasopenedinbrowserOfceRecentFilesDescriptionMSOfceprogramswilltracktheirownRecentFileslisttomakeiteasierforuserstorememberthelastletheywereediting.
LocationNTUSER.
DAT\Software\Microsoft\Oce\VERSION14.
0=Ofce201011.
0=Ofce200312.
0=Ofce200710.
0=OfceXPNTUSER.
DAT\Software\Microsoft\Oce\VERSION\UserMRU\LiveID_####\FileMRU15.
0=Ofce365InterpretationSimilartotheRecentFiles,thiswilltrackthelastlesthatwereopenedbyeachMSOfceapplication.
Thelastentryadded,pertheMRU,willbethetimethelastlewasopenedbyaspecicMSOfceapplication.
File/FolderOpeningBrowserUsageLastLoginDescriptionListsthelocalaccountsofthesystemandtheirequivalentsecurityidentiers.
LocationC:\windows\system32\cong\SAMSAM\Domains\Account\UsersInterpretationOnlythelastlogintimewillbestoredintheregistrykeyLastPasswordChangeDescriptionListsthelasttimethepasswordofaspeciclocaluserhasbeenchanged.
LocationC:\windows\system32\cong\SAMSAM\Domains\Account\UsersInterpretationOnlythelastpasswordchangetimewillbestoredintheregistrykeyRDPUsageDescriptionTrackRemoteDesktopProtocollogonstotargetmachines.
LocationSecurityLogWin7/8/10:%SYSTEMROOT%\System32\winevt\logs\Security.
evtxInterpretationWin7/8/10–Interpretation-EventID4778–SessionConnected/Reconnected-EventID4779–SessionDisconnectedEventlogprovideshostnameandIPaddressofremotemachinemakingtheconnectionOnworkstationsyouwilloftenseecurrentconsolesessiondisconnected(4779)followedbyRDPconnection(4778)ServicesEventsDescriptionAnalyzelogsforsuspiciousservicesrunningatboottimeReviewservicesstartedorstoppedaroundthetimeofasuspectedcompromiseLocationAllEventIDsreferencetheSystemLog7034–Servicecrashedunexpectedly7035–ServicesentaStart/Stopcontrol7036–Servicestartedorstopped7040–Starttypechanged(Boot|OnRequest|Disabled)7045–Aservicewasinstalledonthesystem(Win2008R2+)4697–Aservicewasinstalledonthesystem(fromSecuritylog)InterpretationAllEventIDsexcept4697referencetheSystemLogAlargeamountofmalwareandwormsinthewildutilizeServicesServicesstartedonbootillustratepersistence(desirableinmalware)ServicescancrashduetoattackslikeprocessinjectionLogonTypesDescriptionLogonEventscangiveusveryspecicinformationregardingthenatureofaccountauthorizationsonasystemifweknowwheretolookandhowtodecipherthedatathatwend.
Inadditiontotellingusthedate,time,username,hostname,andsuccess/failurestatusofalogon,LogonEventsalsoenablesustodeterminebyexactlywhatmeansalogonwasattempted.
LocationWin7/8/10:EventID4624InterpretationLogonTypeExplanation2Logonviaconsole3NetworkLogon4BatchLogon5WindowsServiceLogon7Credentialsusedtounlockscreen8Networklogonsendingcredentials(cleartext)9Differentcredentialsusedthanloggedonuser10Remoteinteractivelogon(RDP)11Cachedcredentialsusedtologon12Cachedremoteinteractive(similartoType10)13Cachedunlock(similartoType7)AuthenticationEventsDescriptionAuthenticationmechanismsLocationRecordedonsystemthatauthenticatedcredentialsLocalAccount/Workgroup=onworkstationDomain/ActiveDirectory=ondomaincontrollerWin7/8/10:%SYSTEMROOT%\System32\winevt\logs\Security.
evtxInterpretationEventIDCodes(NTLMprotocol)4776:Successful/FailedaccountauthenticationEventIDCodes(Kerberosprotocol)4768:TicketGrantingTicketwasgranted(successfullogon)4769:ServiceTicketrequested(accesstoserverresource)4771:Pre-authenticationfailed(failedlogon)Success/FailLogonsDescriptionDeterminewhichaccountshavebeenusedforattemptedlogons.
Trackaccountusageforknowncompromisedaccounts.
LocationWin7/8/10:%systemroot%\System32\winevt\logs\Security.
evtxInterpretationWin7/8/10–Interpretation4624–SuccessfulLogon4625–FailedLogon4634|4647–SuccessfulLogoff4648–Logonusingexplicitcredentials(Runas)4672–Accountlogonwithsuperuserrights(Administrator)4720–AnaccountwascreatedAccountUsageKeyIdenticationDescriptionTrackUSBdevicespluggedintoamachine.
LocationSYSTEM\CurrentControlSet\Enum\USBSTORSYSTEM\CurrentControlSet\Enum\USBInterpretationIdentifyvendor,product,andversionofaUSBdevicepluggedintoamachineIdentifyauniqueUSBdevicepluggedintothemachineDeterminethetimeadevicewaspluggedintothemachineDevicesthatdonothaveauniqueserialnumberwillhavean"&"inthesecondcharacteroftheserialnumber.
First/LastTimesDescriptionDeterminetemporalusageofspecicUSBdevicesconnectedtoaWindowsMachine.
LocationFirstTimePlugandPlayLogFilesXP:C:\Windows\setupapi.
logWin7/8/10:C:\Windows\inf\setupapi.
dev.
logInterpretationSearchforDeviceSerialNumberLogFiletimesaresettolocaltimezoneLocationFirst,Last,andRemovalTimes(Win7/8/10Only)SystemHive:\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\####0064=FirstInstall(Win7-10)0066=LastConnected(Win8-10)0067=LastRemoval(Win8-10)UserDescriptionFindUserthatusedtheUniqueUSBDevice.
LocationLookforGUIDfromSYSTEM\MountedDevicesNTUSER.
DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2InterpretationThisGUIDwillbeusednexttoidentifytheuserthatpluggedinthedevice.
Thelastwritetimeofthiskeyalsocorrespondstothelasttimethedevicewaspluggedintothemachinebythatuser.
Thenumberwillbereferencedintheuser'spersonalmountpointskeyintheNTUSER.
DATHive.
ExternalDevice/USBUsageHistoryDescriptionRecordswebsitesvisitedbydateandtime.
Detailsstoredforeachlocaluseraccount.
Recordsnumberoftimesvisited(frequency).
Alsotracksaccessoflocalsystemles.
LocationInternetExplorerIE6-7:%USERPROFILE%\LocalSettings\History\History.
IE5IE8-9:%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.
IE5IE10,11,Edge:%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.
datFirefoxXP:%USERPROFILE%\ApplicationData\Mozilla\Firefox\Proles\.
default\places.
sqliteWin7/8/10:%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\places.
sqliteChromeXP:%USERPROFILE%\LocalSettings\ApplicationData\Google\Chrome\UserData\Default\HistoryWin7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\HistoryCookiesDescriptionCookiesgiveinsightintowhatwebsiteshavebeenvisitedandwhatactivitiesmayhavetakenplacethere.
LocationInternetExplorerIE8-9:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\CookiesIE10:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\CookiesIE11:%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookiesEdge:%USERPROFILE%\AppData\Local\Packages\microsoft.
microsoftedge_\AC\MicrosoftEdge\CookiesFirefoxXP:%USERPROFILE%\ApplicationData\Mozilla\Firefox\Proles\.
default\cookies.
sqliteWin7/8/10:%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\cookies.
sqliteChromeXP:%USERPROFILE%\LocalSettings\ApplicationData\Google\Chrome\UserData\Default\LocalStorage\Win7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\LocalStorage\CacheDescriptionThecacheiswherewebpagecomponentscanbestoredlocallytospeedupsubsequentvisitsGivestheinvestigatora"snapshotintime"ofwhatauserwaslookingatonline-Identieswebsiteswhichwerevisited-Providestheactuallestheuserviewedonagivenwebsite-Cachedlesaretiedtoaspeciclocaluseraccount-TimestampsshowwhenthesitewasrstsavedandlastviewedLocationInternetExplorerIE8-9:%USERPROFILE%\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.
IE5IE10:%USERPROFILE%\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Content.
IE5IE11:%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\IEEdge:%USERPROFILE%\AppData\Local\Packages\microsoft.
microsoftedge_\AC\MicrosoftEdge\CacheFirefoxXP:%USERPROFILE%\LocalSettings\ApplicationData\Mozilla\Firefox\Proles\.
default\CacheWin7/8/10:%USERPROFILE%\AppData\Local\Mozilla\Firefox\Proles\.
default\CacheChromeXP:%USERPROFILE%\LocalSettings\ApplicationData\Google\Chrome\UserData\Default\Cache-data_#andf_######Win7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\Cache\-data_#andf_######Flash&SuperCookiesDescriptionLocalStoredObjects(LSOs),orFlashCookies,havebecomeubiquitousonmostsystemsduetotheextremelyhighpenetrationofFlashapplicationsacrosstheInternet.
Theytendtobemuchmorepersistentbecausetheydonotexpire,andthereisnobuilt-inmechanismwithinthebrowsertoremovethem.
Infact,manysiteshavebegunusingLSOsfortheirtrackingmechanismsbecausetheyrarelygetclearedliketraditionalcookies.
LocationWin7/8/10:%APPDATA%\Roaming\Macromedia\FlashPlayer\#SharedObjects\InterpretationWebsitesvisitedUseraccountusedtovisitthesiteWhencookiewascreatedandlastaccessedSessionRestoreDescriptionAutomaticCrashRecoveryfeaturesbuiltintothebrowser.
LocationInternetExplorerWin7/8/10:%USERPROFILE%/AppData/Local/Microsoft/InternetExplorer/RecoveryFirefoxWin7/8/10:%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Proles\.
default\sessionstore.
jsChromeWin7/8/10:%USERPROFILE%\AppData\Local\Google\Chrome\UserData\Default\Files=CurrentSession,CurrentTabs,LastSession,LastTabsInterpretationHistoricalwebsitesviewedineachtabReferringwebsitesTimesessionendedModiedtimeof.
datlesinLastActivefolderTimeeachtabopened(onlywhencrashoccurred)Creationtimeof.
datlesinActivefolderGoogleAnalyticsCookiesDescriptionGoogleAnalytics(GA)hasdevelopedanextremelysophisticatedmethodologyfortrackingsitevisits,useractivity,andpaidsearch.
SinceGAislargelyfree,ithasacommandingshareofthemarket,estimatedatover80%ofsitesusingtrafcanalysisandover50%ofallsites.
__utma–UniquevisitorsDomainHashVisitorIDCookieCreationTimeTimeof2ndmostrecentvisitTimeofmostrecentvisitNumberofvisits__utmb–SessiontrackingDomainhashPageviewsincurrentsessionOutboundlinkclicksTimecurrentsessionstarted__utmz–TrafcsourcesDomainHashLastUpdatetimeNumberofvisitsNumberofdifferenttypesofvisitsSourceusedtoaccesssiteGoogleAdwordscampaignnameAccessMethod(organic,referral,cpc,email,direct)Keywordusedtondsite(non-SSLonly)PnPEventsDescriptionWhenaPlugandPlaydriverinstallisattempted,theservicewillloganID20001eventandprovideaStatuswithintheevent.
ItisimportanttonotethatthiseventwilltriggerforanyPlugandPlay-capabledevice,includingbutnotlimitedtoUSB,Firewire,andPCMCIAdevices.
LocationSystemLogFileWin7/8/10:%systemroot%\System32\winevt\logs\System.
evtxInterpretationEventID:20001–PlugandPlaydriverinstallattemptedEventID20001TimestampDeviceinformationDeviceserialnumberStatus(0=noerrors)VolumeSerialNumberDescriptionDiscovertheVolumeSerialNumberoftheFilesystemPartitionontheUSB.
(NOTE:ThisisnottheUSBUniqueSerialNumber,whichishardcodedintothedevicermware.
)LocationSOFTWARE\Microsoft\WindowsNT\CurrentVersion\ENDMgmtUseVolumeNameandUSBUniqueSerialNumberto:-Findlastintegernumberinline-ConvertDecimalSerialNumberintoHexSerialNumberInterpretationKnowingboththeVolumeSerialNumberandtheVolumeName,youcancorrelatethedataacrossSHORTCUTFile(LNK)analysisandtheRECENTDOCskey.
TheShortcutFile(LNK)containstheVolumeSerialNumberandNameRecentDocsRegistryKey,inmostcases,willcontainthevolumenamewhentheUSBdeviceisopenedviaExplorerDriveLetterandVolumeNameDescriptionDiscoverthelastdriveletteroftheUSBDevicewhenitwaspluggedintothemachine.
LocationXP:FindParentIdPrex–SYSTEM\CurrentControlSet\Enum\USBSTORUsingParentIdPrexDiscoverLastMountPoint–SYSTEM\MountedDevicesWin7/8/10:SOFTWARE\Microsoft\WindowsPortableDevices\DevicesSYSTEM\MountedDevices-ExamineDriveLetterslookingatValueDataLookingforSerialNumberInterpretationIdentifytheUSBdevicethatwaslastmappedtoaspecicdriveletter.
Thistechniquewillonlyworkforthelastdrivemapped.
Itdoesnotcontainhistoricalrecordsofeverydrivelettermappedtoaremovabledrive.
Shortcut(LNK)FilesDescriptionShortcutlesautomaticallycreatedbyWindowsRecentItemsOpenlocalandremotedatalesanddocumentswillgenerateashortcutle(.
lnk)LocationXP:%USERPROFILE%\RecentWin7/8/10%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent%USERPROFILE%\AppData\Roaming\Microsoft\Oce\RecentInterpretationDate/Timeleofthatnamewasrstopened-CreationDateofShortcut(LNK)FileDate/Timeleofthatnamewaslastopened-LastModicationDateofShortcut(LNK)FileLNKTargetFile(InternalLNKFileInformation)Data:-Modied,Access,andCreationtimesofthetargetle-VolumeInformation(Name,Type,SerialNumber)-NetworkShareinformation-OriginalLocation-NameofSystem
- UNCcontent.ie5相关文档
- Sutcliffecontent.ie5
- Comparingcontent.ie5
- humancontent.ie5
- librarycontent.ie5
- Z52Svb2rcontent.ie5
- briskcontent.ie5
LOCVPS全场8折,香港云地/邦联VPS带宽升级不加价
LOCVPS发布了7月份促销信息,全场VPS主机8折优惠码,续费同价,同时香港云地/邦联机房带宽免费升级不加价,原来3M升级至6M,2GB内存套餐优惠后每月44元起。这是成立较久的一家国人VPS服务商,提供美国洛杉矶(MC/C3)、和中国香港(邦联、沙田电信、大埔)、日本(东京、大阪)、新加坡、德国和荷兰等机房VPS主机,基于XEN或者KVM虚拟架构,均选择国内访问线路不错的机房,适合建站和远程办...
统计一下racknerd正在卖的超便宜VPS,值得推荐的便宜美国VPS
racknerd从成立到现在发展是相当迅速,用最低的价格霸占了大部分低端便宜vps市场,虽然VPS价格便宜,但是VPS的质量和服务一点儿都不拉跨,服务器稳定、性能给力,尤其是售后方面时间短技术解决能力强,估计这也是racknerd这个品牌能如此成功的原因吧! 官方网站:https://www.racknerd.com 多种加密数字货币、信用卡、PayPal、支付宝、银联、webmoney,可...
数脉科技香港物理机 E3 16G 10M 华为线路165元 阿里云线路 188元 Cera线路 157元
2021年9月中秋特惠优惠促销来源:数脉科技 编辑:数脉科技编辑部 发布时间:2021-09-11 03:31尊敬的新老客户:9月优惠促销信息如下,10Mbps、 30Mbps、 50Mbps、100Mbps香港优质或BGPN2、阿里云线路、华为云线路,满足多种项目需求!支持测试。全部线路首月五折起。数脉官网 https://my.shuhost.com/香港特价数脉阿里云华为云 10MbpsCN...
content.ie5为你推荐
-
模式ios8特斯拉苹果5eaccelerator开启eAccelerator内存优化就各种毛病,DZ到底用哪个内存优化比较好。。。勒索病毒win7补丁我的电脑是windows7系统,为什么打不了针对勒索病毒的补丁(杀毒软件显ipadwifiIPAD连上了WIFI,但是无法上网,急!!127.0.0.1127.0.0.1打不开win7telnetwindows7旗舰版中telnet在哪ms17-010win10蒙林北冬虫夏草酒·10年原浆1*6 500ml 176,176是一瓶的价格还是一箱的价格联通iphone4联通iphone4好用吗csshackcss常见的hack方法有哪些