Old
β οΈ Cloud Storage
Windows For OneDrive the most useful artifacts are stored locally. If you get access to the account online - may see the deleted items and their versions.
π₯ System Information
Windows Installed programs and applications Key π: Microsoft\Windows\CurrentVersion\Uninstall. There can be some data for programs that do not exist on the system anymore.
π Network Traffic
Collection Most of the devices keep some logs. As for the network-related issues are switches, routers, firewalls, IDS and IPS, web proxies, DC and authentication servers, DCHP servers and application servers.
π OSINT Techniques
This all about searching for the information publicly available.
π¬βοΈNotifications
Windows Toast notifications on Windows 10: C:\Users\%Username%\AppData\Local\Microsoft\Windows\Notifications contains wpndatabase.db and appdb.dat. Both can be opened with π SQLite Browser.
π£ Voice Assistants
Windows Cortana is a great source of information. C:\Users\%Username%\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\ESEDatabase_CortanaCoreInstance\CortanaCoreDb.db contains user locations, reminders etc. Use a π SQLite browser to see the contents, or export to cvs and work in Excel.
π‘οΈ Defence Mechanisms
In this section, I will collect different defence mechanisms, bypass techniques and possible artefacts to look out for.
Misc
π User Statistics
This is about … .
π¦ Search History
This is about … .
Legal Acts
This is about … .