πΊ Windows Registry
π± Devices Attached
Are we looking for USB storage media activity or all USB devices? Like, cameras πΈ? Headphones π§? As for the timestamps, you’ll usually have first (setupapi log) and last connected. There are also OS specific timestamps, like first or last install, first connect since reboot etc. Windows USB artifacts, macOS. See Event Manager’s codes 20001 and 20002 for USB events for verification or if the registry was updated. Look at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\ and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\<hardware id>\<instance id>\Device Parameters. More.
Network History
π SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
π SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Signatures\Managed
π SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Nla\Cache
Can be used to get the following data:
πΎ Identify networks that the computer has been connected to. πΎ Networks could be wireless or wired. πΎ Identify domain name/intranet name. πΎ Identify SSID, MAC address of SSID for Gateway could be physically triangulated. πΎ Identify Gateway MAC address.
βοΈThis will also list any networks that have been connected to via a VPN.
References
Expand…
Something hereSearch History
ACMRU
βSearch Historyβ on the Windows system (via Search Assistant)
π NTUSER.DAT\Software\Microsoft\SearchAssistant\ACMru\XXXX. Possible values of XXXX:
- Internet search - 5001
- All or part of the doc name - 5603
- A word or phrase in a file - 5604
- Printers, computers and people - 5647
WordWheelQuery
Win7+. Keywords are added in Unicode and listed in temporal order in an MRUlist.
π NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
References
Expand…
Something hereπΊ SAM
This is about … .
Installed Apps
Key π: Microsoft\Windows\CurrentVersion\Uninstall. There can be some data for programs that do not exist on the system anymore. The last write time is when the application was installed.
Key π Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore for installed Microsoft applications. Defines between those that were installed for a specific user or system-wide.
Key π: Wiw6432Node (SYSTEM hive root node) - those that run a 32-bit mode. Separate sub-keys for different versions of a program.
Key π: Classes\Installer\Products - installed using Miscrosoft installer (those with msi extension).
Jumplist Data
The Windows 7-10 taskbar (Jump List) is engineered to allow users to βjumpβ or access items they have frequently or recently used quickly and easily. This functionality not only includes recent media files; it must also include recent tasks. The data stored in the AutomaticDestinations folder will each have a unique file prepended with the AppID of the associated application.
Recents
RecentDocs
π NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
This key will track the order of the last 150 files or folders opened, keeping track of the temporal order in which each file/folder was opened.
ποΈ .XXX - This subkey stores the last files with a specific extension that were opened.
ποΈ Folder This subkey stores the last folders that were opened. The MRU list will keep track of the temporal order in which each folder was opened.
Uninstalled
Key π: Microsoft\Windows\CurrentVersion\Uninstall
References
Expand…
Something hereAmCache
And yet another place to check for program execution. It’s like a forensic treasure of program execution. You can see installed applications, drivers and unassociated progs. For each entry, you can see loads of metadata. You can even see the SHA1 hashes! How great is that? However, be careful; installed doesn’t mean executed!
BAM and DAM
It provides a full path of the executable file run on the system and the last execution date/time. BAM stands for Background Activity Moderator, and DAM - Desktop Activity Moderator. BAM is a “daemon master” (controls the background services), whereas DAM moderates desktop services to save energy.