Link Search Menu Expand Document

List of Windows Artifacts for Triage Analysis

29 Nov 2021 The_Croods 1 min

Forensic Triage Past Present Furture


Triage helps For every forensic analysis, we need to answer the following questions for successful incident remediation and recovery, failed to identify key data points such as initial access and level of compromise will result in repeated security indents.

ArtifactLocation
Event LogsC:\Windows\System32\winevt\Logs
RegistryC:\Windows\System32\Config
$MFTC:\$MFT
$UsnJrnlc:\$Extend\$J
AmcacheC:\Windows\appcompat\Programs\Amcache.hve
User AssistNTuser.Dat\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
ShimCacheSYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache
StartUPC:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
JumpListsC:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
ShellBagsWindows XP
NTUSER.DAT\Software\Microsoft\Windows\Shell
NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam
NTUSER.DAT\Software\Microsoft\Windows\StreamMRU
Windows 7 later
NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
LNK FilesWindows XP
C:\Documents and Settings\<username>\Recent
Windows 7 Later
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent
Scheduled TasksC:\Windows\tasks
C:\Windows\System32\tasks
powershell console historyC:\Users\<usrname>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
ConsoleHost_history.txt
WmiC:\WINDOWS\system32\wbem\Repository


Open source Forensic Triage Tools

Cylr

https://github.com/orlikoski/CyLR

Kape

https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape

Kansa

https://github.com/davehull/Kansa

IR triage

https://github.com/AJMartel/IRTriage

velociraptor

https://github.com/Velocidex/velociraptor

Share

Explore more like this

Triage
Intro

Objectives of Digital Forensics in Enterprise Environments

Nov 22, 2021

For every forensic analysis, we need to find the answers for some important questions to successfully remediate the security incident. Failed to identify key data points such as initial access and level of compromise will result in repeated security indents.

Read More