Old
β οΈ Cloud Storage
Windows For OneDrive the most useful artifacts are stored locally. If you get access to the account online - may see the deleted items and their versions.
π¦ Malware Analysis
Reversing malware is a complex topic and is beyond the scope of this article. If you are interested in reversing techniques - refer to the Reverse π§ section of this website. However, to reverse engineer something, one first needs to get that something. And to “catch” the malware, one needs to find it. To find it, one needs to know where to look. This article is to aid in that. I will also look into what evidence can be obtained from the malware.
π₯ System Information
Windows Installed programs and applications Key π: Microsoft\Windows\CurrentVersion\Uninstall. There can be some data for programs that do not exist on the system anymore.
π Network Traffic
Collection Most of the devices keep some logs. As for the network-related issues are switches, routers, firewalls, IDS and IPS, web proxies, DC and authentication servers, DCHP servers and application servers.
π OSINT Techniques
This all about searching for the information publicly available.
π¬βοΈNotifications
Windows Toast notifications on Windows 10: C:\Users\%Username%\AppData\Local\Microsoft\Windows\Notifications contains wpndatabase.db and appdb.dat. Both can be opened with π SQLite Browser.
π£ Voice Assistants
Windows Cortana is a great source of information. C:\Users\%Username%\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\ESEDatabase_CortanaCoreInstance\CortanaCoreDb.db contains user locations, reminders etc. Use a π SQLite browser to see the contents, or export to cvs and work in Excel.
π‘οΈ Defence Mechanisms
In this section, I will collect different defence mechanisms, bypass techniques and possible artefacts to look out for.
Misc
π User Statistics
This is about … .
π¦ Search History
This is about … .
Legal Acts
This is about … .