Are we looking for USB storage media activity or all USB devices? Like, cameras 📸? Headphones 🎧?
🔑 SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged 🔑 SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Signatures\Managed 🔑 SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Nla\Cache Can be used to get the following data:
ACMRU “Search History” on the Windows system (via Search Assistant) 🔑 NTUSER.DAT\Software\Microsoft\SearchAssistant\ACMru\XXXX. Possible values of XXXX:
This is about … .
Key 🔑: Microsoft\Windows\CurrentVersion\Uninstall. There can be some data for programs that do not exist on the system anymore.
The Windows 7-10 taskbar (Jump List) is engineered to allow users to “jump” or access items they have frequently or recently used quickly and easily. This functionality not only includes recent media files; it must also include recent tasks. The data stored in the AutomaticDestinations folder will each have a unique file prepended with the AppID of the associated application.
RecentDocs 🔑 NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs This key will track the order of the last 150 files or folders opened, keeping track of the temporal order in which each file/folder was opened.
Key 🔑: Microsoft\Windows\CurrentVersion\Uninstall References Expand… Something here
And yet another place to check for program execution. It’s like a forensic treasure of program execution. You can see installed applications, drivers and unassociated progs. For each entry, you can see loads of metadata. You can even see the SHA1 hashes! How great is that? However, be careful; installed doesn’t mean executed!
It provides a full path of the executable file run on the system and the last execution date/time. BAM stands for Background Activity Moderator, and DAM - Desktop Activity Moderator. BAM is a “daemon master” (controls the background services), whereas DAM moderates desktop services to save energy.
To open a file, one needs to perform a delightful jaunt to a directory where those files reside. Now picture this: imagine if we could keep a journal of all the full paths of the folders visited; wouldn’t that be splendid? It so happens that this nice functionality does exist on Windows machines and ShellBags they are called. Since these folders can be located on a remote machine, a USB drive or any other external media, this artefact can be used to make assumptions about remote connections and devices attached.
How often has the following happened to you? You want to run a program, but it’s not designed to run on this version of OS. Windows has a mechanism to run older programs on newer systems. Even when these “compatibility” adjustments are not required, Windows still logs the information for all the programs run.
GUI-based programs launched from the desktop are tracked in the launcher on a Windows system.
Hives: C:\Documents and Settings |*\ntuser.dat C:\Users\ |*\ ntuser. dat C: \Users\ \*\ntuser.dat. LOG|* C: \ Users\ |*\ AppData\Local\Microsoft\Windows| UsrClass.