Logo
RSS Feed

👈🏼 Back to
🪟 Windows Artefacts

🏺 Windows Registry

🖱 Devices Attached

Windows Are we looking for USB storage media activity or all USB devices? Like, cameras 📸?

🏺 SAM

This is about … .

Installed Apps

Key 🔑: Microsoft\Windows\CurrentVersion\Uninstall. There can be some data for programs that do not exist on the system anymore.

Jumplist Data

The Windows 7-10 task bar (Jump List) is engineered to allow users to “jump” or access items they have frequently or recently used quickly and easily. This functionality cannot only include recent media files; it must also include recent tasks.

Recents

*Key 🔑: NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps. Similar to User Assist. It also shows files and applications that were used through this application.

Uninstalled

Key 🔑: Microsoft\Windows\CurrentVersion\Uninstall References Expand… Something here

AmCache

And yet another place to check for program execution. It’s like a forensic treasure of program execution. You can see installed applications, drivers and unassociated progs. For each entry, you can see loads of metadata. You can even see the SHA1 hashes! How great is that? However, be careful; installed doesn’t mean executed!

BAM and DAM

It provides a full path of the executable file run on the system and the last execution date/time. BAM stands for Background Activity Moderator, and DAM - Desktop Activity Moderator. BAM is a “daemon master” (controls the background services), whereas DAM moderates desktop services to save energy.

ComDlg32

Key 🔑: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32. CIDSizeMRU- Tracks applications globally. MRU start at zero. Timestamp for the most recent item only.

MUICache

Key 🔑: Local Settings\Software\Microsoft\Windows\Shell\MuiCache. Installed and executed applications for that particular user. But no timestamps for this acts, only last write data and time for the key in registry.

ShellBag

To open a file, one needs to perform a delightful jaunt to a directory where those files reside. Now picture this: imagine if we could keep a journal of all the full paths of the folders visited; wouldn’t that be splendid? It so happens that this nice functionality does exist on Windows machines and ShellBags they are called. Since these folders can be located on a remote machine, a USB drive or any other external media, this artefact can be used to make assumptions about remote connections and devices attached.

ShimCache aka AppCompatCache

How often has the following happened to you? You want to run a program, but it’s not designed to run on this version of OS. Windows has a mechanism to run older programs on newer systems. Even when these “compatibility” adjustments are not required, Windows still logs the information for all the programs run.

User Assist

Key 🔑: NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Assist. List of progs and applets that can be quicly started from the Start menu for usability, the most often used items.

⚙️ Windows Registry

Hives: C:\Documents and Settings |*\ntuser.dat C:\Users\ |*\ ntuser. dat C: \Users\ \*\ntuser.dat. LOG|* C: \ Users\ |*\ AppData\Local\Microsoft\Windows| UsrClass.