Event Log Explorer

CyberCorp1

⛔️ Spoiler alert! Case Details Artefacts in posession: memory dump, OS event logs, registry files, Prefetch files, $MFT file, ShimCache, AmCache, network traffic dumps.

Windows Recent documents Key 🔑: NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs Contains the list of all recent documents as a bunch and also the same data sorted by extension.

Event Log Explorer

CyberCorp1

🎞 Media Files