Digital Forensics:Windows Artifacts

Windows Artifact Analysis:

1. Program Execution
• UserAssist
• Shimcache
• Windows 10 Timeline
• Amcache.hve
• Shimcache
• System Resource Usage Monitor (SRUM)
• Jump Lists
• Last-Visited MRU
• Prefetch
2. File Download 
• Open/Save MRU
• Email Attachments
• Skype History
• Browser Artifacts
• Downloads
• ADS Zone.Identifer
3. Deleted File or File Knowledge
• XP Search – ACMRU
• Thumbs.db
• Search – WordWheelQuery
• Thumbcache
• IE|Edge file://
• Win7/8/10 Recycle Bin
• Last-Visited MRU
• XP Recycle Bin
4. Network Activity/Physical Location
• Timezone
• Cookies
• Network History
• WLAN Event Log
• Browser Search Terms
• System Resource Usage Monitor (SRUM)
5. File/Folder Opening
• Open/Save MRU
• Shell Bags
• Last-Visited MRU
• Recent Files
• Jump Lists
• Shell Bags
• Shortcut (LNK) Files
• Prefetch
• Last-Visited MRU
• IE|Edge file://
• Office Recent Files
6. Account Usage
• Last Login
• Last Password Change
• RDP Usage
• Services Events
• Logon Types
• Authentication Events 
• Success/Fail Logons
7. External Device/USB Usage
• Key Identification
• First/Last Times
• User
• PnP Events
• Volume Serial Number
• Drive Letter and Volume Name
• Shortcut (LNK) Files
8. Browser Usage
• History 
• Cache
• Session Restore
• Cookies
• Flash & Super Cookies
• Google Analytics Cookies

Refer: SANS Poster

           windows-forensics-and-security

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD