Windows
Installed programs and applications
Key 🔑: Microsoft\Windows\CurrentVersion\Uninstall. There can be some data for programs that do not exist on the system anymore. The last write time is when the application was installed.
Key 🔑 Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore for installed Microsoft applications. Defines between those that were installed for a specific user or system-wide.
Key 🔑: Wiw6432Node (SYSTEM hive root node) - those that run a 32-bit mode. Separate sub-keys for different versions of a program.
Key 🔑: Classes\Installer\Products - installed using Miscrosoft installer (those with msi extension).
OS Information
Key 🔑: Microsift\Windows NT\CurrentVersion. Value InstallDate - Install date, Unix, numeric value (for 🛠 Decode).
Login info
Key 🔑: Microsoft\Windows\CurrentVersion\Authentication\LogonUI - last logged in user.
Key 🔑: Microsoft\Windows NT\CurrentVersion\Winlogon. Manages the boot process, logging operations, loading profiles.
Domain Accounts
Key 🔑 : Software\Microsoft\Windows NT\CurrentVersion\ProfileList.
The key above will have a ProfileImagePath.
SAM doesn’t have any informaiton about domain accounts. For this information refer to the key above. Even though in case of a domain user there is no relevant information in SAM hive, you can still view the machine/domain ID in SAM and use it to determine whether the files were created on the local machine. For example, in the Recycle Bin.
Computer name
Key 🔑: Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName and Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName. Can be either manufacturer or user-defined.
Last shutdown time
Key 🔑: Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows\LastShutdownTime
A 64-bit little-endian value, Windows FileTime. ⚠️ If the PC was shutdown due to some power source loss (plugged out), you won’t see this value being updated.
Crash dump setting
Key 🔑: Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CrashControl\DumpFile and --\\--\MinidumpDir.
Stores the location of *.DMP.
NtfsDisableLastAccessUpdate
Key 🔑: ControlSet001\Control\FileSystem\NtfsDisableLastAccessUpdate.
Last access file time settings. If 1 - disabled (default), 0 - enabled. ⚠️ If it’s disabled (more likely), the access times are not reliable in this case. However, this doesn’t apply to MFT file records updates.
NTFS Last Accessed Update (Win10+) -
80000000 (hex) = User Managed, Last Access Updates Enabled
80000001 (hex) = User Managed, Last Access Updates Disabled
80000002 (hex) = System Managed, Last Access Updates Enabled - default for Windows 11 (in my case).
80000003 (hex) = System Managed, Last Access Updates Disabled
System time
Key 🔑: Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\TimeZoneKeyName
macOS
TODO: same structure as for Windows
system_profiler, sw_vers, uname
osquery
In case osquery was perinstalled on the machine in question, we are in a better position. It’s a very powerful tool. It queries the system for various information and presents it as a table.
osqueryi
# config on macOS (installed via brew) is /var/osquery/osquery.example.config
## mac addresses
grep -iro '[0-9a-f]\{2\}:[0-9a-f]\{2\}:[0-9a-f]\{2\}:[0-9a-f]\{2\}:[0-9a-f]\{2\}:[0-9a-f]\{2\}'
daily.out
Stored at /root/private/var/log/daily.out along with interfaces. Example of the file contents:
Sun Apr 12 13:27:17 EDT 2020
Removing old temporary files:
Cleaning out old system announcements:
Removing stale files from /var/rwho:
Disk status:
Filesystem Size Used Avail Capacity iused ifree %iused Mounted on
/dev/disk1s5 100Gi 9.9Gi 83Gi 11% 481695 1044735185 0% /
/dev/disk1s1 100Gi 6.3Gi 83Gi 8% 34701 1045182179 0% /System/Volumes/Data
/dev/disk1s4 100Gi 1.0Mi 83Gi 1% 1 1045216879 0% /private/var/vm
Network interface status:
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
lo0 16384 <Link#1> 1072 0 1072 0 0
lo0 16384 127 localhost 1072 - 1072 - -
lo0 16384 localhost ::1 1072 - 1072 - -
lo0 16384 fe80::1%lo0 fe80:1::1 1072 - 1072 - -
gif0* 1280 <Link#2> 0 0 0 0 0
stf0* 1280 <Link#3> 0 0 0 0 0
en0 1500 <Link#4> 00:0c:29:c4:65:77 372733 0 73025 0 0
en0 1500 fe80::8c8:8 fe80:4::8c8:87c2: 372733 - 73025 - -
en0 1500 184.171.151/2 stu-181-151-171 372733 - 73025 - -
utun0 1380 <Link#5> 0 0 2 0 0
utun0 1380 fe80::8375: fe80:5::8375:3ebe 0 - 2 - -
utun1 2000 <Link#6> 0 0 2 0 0
utun1 2000 fe80::feea: fe80:6::feea:9530 0 - 2 - -
Local system status:
13:27 up 7 mins, 1 user, load averages: 7.76 3.82 1.64
-- End of daily output --
Linux
/etc/*-release
/etc/hostname
/etc/hosts
/var/lib/networkmanager, dhclient, and dhcp
AWS
On AWS there is a service that can be quieried for EC2 information. Official docs.This data should be quieried from within the instance.
⚠️ Turn off IMDS if you don’t need it for work.
📘 BTFM
# list all buckets using sso
aws s3 ls --profile dev
# Querying the EC2 IMDS for different instance information
curl -s "http://169.254.169.254/latest/meta-data/ami-id
Android
📘 BTFM
# Battery stats
cat /data/data/com.google.android.gms/shared_prefs/Batterystats.xml
# BatterystatsDumpsysTask
cat /data/data/com.google.android.gms/files/BatterystatsDumpsysTask.gz
iOS
If this package is installed, run ideviceinfo. Will also show data for connected devices. With this utility you can also target specific device by its UUID. One of the use cases: connect an iOS device and query. Read full focs here. How to use ideviceinfo command here.
Power Log
📘 BTFM
/private/var/containers/Shared/SystemGroup/[APPGUID]/Library/BatteryLife/CurrentPowerlog.PLSQL
/private/var/containers/Shared/SystemGroup/[APPGUID]/Library/BatteryLife/Archives/powerlog_ DATE_ID.PLSQL.gz
# KnowledgeC
/private/var/mobile/Library/CoreDuet/Knowledge/knowledgeC.db
Kubernetes
📘 BTFM
kubectl describe node | grep -i image # get OS info
kubectl describe pod <podname> | grep -i node # get image info and master node info as well as lots of other information
kubectl describe pod <podname> # get the amount of containers within the pod
kubectl describe pod <podname> would also contain events section which can be though of as some sort of logs.