RSS Feed


Created: 02.06.2023

This is about … .


To find the evidence of execution, try the following artefacts:

  1. Dr Watson
  2. Installed and uninstalled
    1. Key 🔑: Microsoft\Windows\CurrentVersion\Uninstall. There can be some data for programs that do not exist on the system anymore. The last write time is when the application was installed.
    2. Key 🔑 Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore for installed Microsoft applications. Defines between those that were installed for a specific user or system-wide.
    3. Key 🔑: Wiw6432Node (SYSTEM hive root node) - those that run a 32-bit mode. Separate sub-keys for different versions of a program.
    4. Key 🔑: Classes\Installer\Products - installed using Miscrosoft installer (those with msi extension).
  3. Prefetch
  4. AmCache
  5. ShimCache
  6. BAM
  7. MUICache
  8. ComDlg32
  9. Jump List Data
  10. Recent Apps
  11. User Assist


AppStore Downloads


Spotlight shortcuts

/Users/%username%/Library/Application Support/com.apple.spotlight.Shortcuts

Finder MRU



  1. Trash /home/%username%/.local/share/Trash/
  2. Recent Files /home/%username%/.local/share/recently-used.xbel


Obtain and image or physical evidence to work with. For Android, to see installed apps and recent activity:

  • packages.list
  • packages.xml - to see permissions for all applications in one place. For example, if this application has a SMS or messaging permission, you’ll know to look. Or, for example, I need all applications with chat permissions or access to the camera.
  • com.vending.adnroid
  • usagestats
  • usage history
  • battery stats
  • recent images
  • snapshots

tccb on iOS?

Chromebook - extension preferences file.

Run commercial tools to parse the info. If not, then try to find some specific parser, may be for similar app and try.

Create profiles and you any real data for generation.

Fake data - mockaroo and generatedata.com

  1. take the snapshot of the system state before populating with data
  2. Write a script-plan
  3. take notes
  4. perform actions 1 min apart
  5. scrrencap actions
  6. document them (log with script)
  7. compare with the the baseline “snapshot” from step 1.




Do not make assumptions before testing! For example, a QuizUp game folder contained some usernames and pictures and the assumption would be that this person was in touch with the suspect. However, testing revealed that when you choose to randomly find you a rival from around the globe 🌎, QuizUp automatically adds them to the player’s contacts.

Jessica advises using appropriate view-managers for specific files, but I would also recommend to check these files in hex as well. There was once a case when I performed vulnerability assessment of a mobile application and I got a SQLite DB, opened it in SQLite Browser DB and couldn’t find the data I was looking for. However grep command showed that this data was in the DB. I opened it in hex and noticed that it might have been damaged because there was an amount of data almoust the same size as the visible one, that was not shown in the viewer. Perhaps that were some deleted rows or the DB was damaged indeed.

Applications of different versions or platforms may have different data structure. For example, iOS QuizUp had a geolocation field, while Android didn’t at that point in time. [1]



• /private/var/mobile/Library/CoreDuet/Knowledge/ knowledgeC.db


  • /private/car/mobile/Library/Application

  • Support/com.apple.remotemanagementd/

  • RMAdminStore-Local.sqlite


    • /private/var/mobile/Library/Containers/Data/ Application/[APPGUID]/Library/Splashboard/ Snapshots/


Expand… Something here