Windows Are we looking for USB storage media activity or all USB devices? Like, cameras 📸?
This is about … .
Key 🔑: Microsoft\Windows\CurrentVersion\Uninstall. There can be some data for programs that do not exist on the system anymore.
The Windows 7-10 task bar (Jump List) is engineered to allow users to “jump” or access items they have frequently or recently used quickly and easily. This functionality cannot only include recent media files; it must also include recent tasks.
*Key 🔑: NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps. Similar to User Assist. It also shows files and applications that were used through this application.
Key 🔑: Microsoft\Windows\CurrentVersion\Uninstall References Expand… Something here
And yet another place to check for program execution. It’s like a forensic treasure of program execution. You can see installed applications, drivers and unassociated progs. For each entry, you can see loads of metadata. You can even see the SHA1 hashes! How great is that? However, be careful; installed doesn’t mean executed!
It provides a full path of the executable file run on the system and the last execution date/time. BAM stands for Background Activity Moderator, and DAM - Desktop Activity Moderator. BAM is a “daemon master” (controls the background services), whereas DAM moderates desktop services to save energy.
Key 🔑: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32. CIDSizeMRU- Tracks applications globally. MRU start at zero. Timestamp for the most recent item only.
Key 🔑: Local Settings\Software\Microsoft\Windows\Shell\MuiCache. Installed and executed applications for that particular user. But no timestamps for this acts, only last write data and time for the key in registry.
To open a file, one needs to perform a delightful jaunt to a directory where those files reside. Now picture this: imagine if we could keep a journal of all the full paths of the folders visited; wouldn’t that be splendid? It so happens that this nice functionality does exist on Windows machines and ShellBags they are called. Since these folders can be located on a remote machine, a USB drive or any other external media, this artefact can be used to make assumptions about remote connections and devices attached.
How often has the following happened to you? You want to run a program, but it’s not designed to run on this version of OS. Windows has a mechanism to run older programs on newer systems. Even when these “compatibility” adjustments are not required, Windows still logs the information for all the programs run.
Key 🔑: NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Assist. List of progs and applets that can be quicly started from the Start menu for usability, the most often used items.
Hives: C:\Documents and Settings |*\ntuser.dat C:\Users\ |*\ ntuser. dat C: \Users\ \*\ntuser.dat. LOG|* C: \ Users\ |*\ AppData\Local\Microsoft\Windows| UsrClass.