Host Artefacts

⮛ïļ Console Activity Analysis

Remote vs local commands? Windows CMD PowerShell Windows PowerShell Event logs Operational Monitoring. %SystemRoot%\System32\winevt\Logs\Microsoft-Windows-Powershell%Operational.evtx, ID 4103, 4104 (if Windows considers suspicious).

Account Info

Windows There are two main places within the registry that contains that information: SAM hive for local and Microsoft accounts and Software\Microsoft\Windows NT\CurrentVersion\ProfileList for Domain Accounts.

ðŸ‘Ĩ Communication

🊜 Persistence and Escalation

*In order to detect and response to the incidents in a short time, there are playbooks which are basically guidelines. Some IR frameworks have these included in order to ease the process. Some techniques can give you both persistence and escalation, but sometimes persistence only. I will mark those that do both with ðŸšĻ *

💎 RAM Extraction And Analysis

In order to detect and response to the incidents in a short time, there are playbooks which are basically guidelines. Some IR frameworks have these included in order to ease the process.

⚙ïļ Windows Config

ðŸ–Ĩ System Information

Windows Installed programs and applications Key 🔑: Microsoft\Windows\CurrentVersion\Uninstall. There can be some data for programs that do not exist on the system anymore.

🌍 Geo Location

Android /data/data/com.google.android.apps.maps/databases/gmm_storage.db # User Photos /data/media/0/DCIM/Camera /data/data/com.androidproviders.media/databases/external.db /data/media/0/bluetooth /data/media/0/Download /data/media/0/Pictures/Screenshots /data/media/0/Pictures/Twitter iOS /private/var/mobile/Containers/Data/Application/[APPGUID]/Library/Maps/GeoHistory.mapsdata /private/var/mobile/Containers/Data/Application/[APPGUID]/Library/Maps/GeoBookmarks.plist /private/var/mobile/Library/Caches/com.apple.routined/Cache.sqlite /private/var/mobile/Library/Caches/com.

ðŸ–ą Devices Attached

Windows Are we looking for USB storage media activity or all USB devices? Like, cameras ðŸ“ļ?

ðŸŠĶ Backups

Windows Volume Shadow Copies and Restore \System Volume Information\ Shadow Copies are exactly those pieces of data that get saved on disk when system restore option is enabled.