Digital Forensics:Windows Artifacts
Windows Artifact Analysis:
- Program Execution
- UserAssist
- Shimcache
- Windows 10 Timeline
- Amcache.hve
- Shimcache
- System Resource Usage Monitor (SRUM)
- Jump Lists
- Last-Visited MRU
- Prefetch
- File Download
- Open/Save MRU
- Email Attachments
- Skype History
- Browser Artifacts
- Downloads
- ADS Zone.Identifer
- Deleted File or File Knowledge
- XP Search – ACMRU
- Thumbs.db
- Search – WordWheelQuery
- Thumbcache
- IE|Edge file://
- Win7/8/10 Recycle Bin
- Last-Visited MRU
- XP Recycle Bin
- Network Activity/Physical Location
- Timezone
- Cookies
- Network History
- WLAN Event Log
- Browser Search Terms
- System Resource Usage Monitor (SRUM)
- File/Folder Opening
- Open/Save MRU
- Shell Bags
- Last-Visited MRU
- Recent Files
- Jump Lists
- Shell Bags
- Shortcut (LNK) Files
- Prefetch
- Last-Visited MRU
- IE|Edge file://
- Office Recent Files
- Account Usage
- Last Login
- Last Password Change
- RDP Usage
- Services Events
- Logon Types
- Authentication Events
- Success/Fail Logons
- External Device/USB Usage
- Key Identification
- First/Last Times
- User
- PnP Events
- Volume Serial Number
- Drive Letter and Volume Name
- Shortcut (LNK) Files
- Browser Usage
- History
- Cache
- Session Restore
- Cookies
- Flash & Super Cookies
- Google Analytics Cookies
Refer: SANS Poster
windows-forensics-and-security
No comments:
Post a Comment