Windows Forensic Artifacts Cheat Sheet Application Compatibility Artifacts

• “Shim Cache” – Contains path and time metadata for files that ran on the system
HKLM\SYSTEM\ControlSet###\Control\Session Manager\AppCompatCache\AppCompatCache
Registry Hives • “Amcache” – Contains path, time, and SHA1 hash metadata for files that ran on the system
Hierarchical databases that store system, application, and user configuration “Amcache” Path: %Systemroot%\AppCompat\Programs\Amcache.hve
data • “Recent File Cache” – Contains file path for files that ran on the system
• System Hives: SYSTEM, SECURITY, SOFTWARE, SAM “Recent File Cache” Path: %Systemroot%\AppCompat\Programs\RecentFileCache.bcf
• System Hives Path: %Systemroot%\System32\config\ Tools: Mandiant ShimCacheParser.py, AppCompatCacheParser, AmcacheParser, rfcparse.py
• User Hives: NTUSER.DAT, USRCLASS.DAT
• User Hives Paths:
\Users\<user>\NTUSER.DAT,
Common Autorun Registry Keys
\Users\<user>\AppData\Local\Microsoft\Windows\USRCLASS.DAT
• Active Setup
Tools: Regripper, Regedit (built-in), Registry Explorer
HKLM\Software\Microsoft\Active Setup\Installed Components\%APPGUID%
• AppInit DLLs
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Registry Hive Mappings • Run Keys
HKLM\Software\Microsoft\Windows\CurrentVersion\Run, RunOnce
SYSTEM HKLM\System • Services and ServiceDLLs
HKLM\System\ControlSet###\Services\<Servicename>,<ImagePath>
SOFTWARE HKLM\Software
HKLM\System\ControlSet###\Services\<Servicename>\Parameters,<servicedll>
• Shell Extensions
SECURITY HKLM\Security
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions
SAM HKLM\SAM • UserInit
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit

NTUSER.DAT HKEY_USERS\<SID> HKEY_CURRENT_USER

User Hive Registry Keys
HKEY_CURRENT_USER\Software\ • Shellbags: Keys in User Hives that track Explorer usage. Analysis can yield accessed file
USRCLASS.DAT HKEY_USERS\<SID>_Classes
Classes
metadata.
HKCU\Local Settings\Software\Microsoft\Windows\Shell\
Tools: Shellbags.py, Shellbags Explorer
System Configuration Registry Keys • “Most Recently Used” or “MRU” keys
• Computer Name HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer\RunMRU
HKLM\System\ControlSet###\Control\Computername\ HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32\
• Domain, Hostname, IP Address, DHCP Server OpenSaveMRU
HKLM\System\ControlSet###\Services\Tcpip\Parameters\ • MUICache (Recently Executed Applications)
• Firewall Configuration HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKLM\System\ControlSet###\Services\Sharedaccess\Parameters\ HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\
Firewallpolicy\ MuiCache
• Map SIDs to Users • Mounted Volumes & Mapped Network Drives
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
• Network Shares MountPoints2\<drive/GUID>
HKLM\System\ControlSet###\Services\Lanmanserver\Shares HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map
• OS Version and Product Name Network Drive MRU
HKLM\Software\Microsoft\Windows NT\Currentversion • Opened Documents
• System Time Zone HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer\
HKLM\System\ControlSet###\Control\Windows RecentDocs
• Users that Logged On to the System • Remote Desktop – Last Accessed History
HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\ HKCU\Software\Microsoft\Terminal Server Client\Default
Defaultusername, Altdefaultusername • TypedURLs (Manually inputted into Internet Explorer)
• Users Active Directory Group Membership “HKCU\Software\Microsoft\Internet Explorer\TypedURLs”
HKLM\Microsoft\Windows\CurrentVersion\Group Policy\[USER_ OR “…\TypedPaths” (Vista & later)
SID]\GroupMembership • UserAssist (Frequently Executed Applications)
• USB Storage Devices HKCU\Software\Microsoft\Windows\CurrentVersion\
HKLM\System\ControlSet###\Enum\USBSTOR\ Explorer\UserAssist

*Note: Locations assume use of Vista/2008+ systems

Master File Table (MFT) Event Logs
Stores information about every file and directory on an NTFS Volume. Windows’ built-in logging mechanism
Location: <drive>\$MFT Key Logs: Application, Security, System, Terminal Services Logs for evidence of RDP
Tools: Acquire with FTK Imager, other raw disk access.  Parse with MFT2CSV access (Microsoft-Windows-TerminalServices-LocalSessionManager, Microsoft-Windows-
TerminalServices-RemoteconnectionManager); Task Scheduler log for evidence of scheduled tasks
(Microsoft-Windows-TaskScheduler)
INDX Attributes Location: %systemroot%\System32\winevt\Logs\*.evtx
Contains metadata about files stored within a directory Tools: Event Viewer (built-in), Microsoft Log Parser, Event Log Explorer (commercial)
Location: $I30 files (a.k.a. “INDX” files) within each directory
Tools: Acquire with FTK Imager or other raw disk access.  Parse with
INDXParse.py
Windows Logon Types
Type Code Type Code

Windows Management Instrumentation Interactive 2 NetworkCleartext 8

WMI can provide malware persistence and record evidence of program Network Logons 3 NewCredentials 9
execution
Location: %systemroot%\System32\wbem\Repository\OBJECTS.DATA Batch 4 RemoteInteractive 10
Tools: https://github.com/fireeye/flare-wmi/tree/master/python-cim Service 5 CacheInteractive 11
Unlock 7
Browser History
• Internet Explorer 10 & 11 Windows Event Log Codes
C:\Users\<user>\AppData\Local\Microsoft\Windows\WebCache
• Google Chrome Status Message Windows Status Message Windows
C:\Users\<user>\AppData\Local\Google\Chrome\User Data Vista/2008+ Vista/2008+
• Mozilla Firefox Scheduled Task Registered 106 New Process 4688
C:\Users\<user>\AppData\Roaming\Mozilla\Firefox\
Profiles\<profile> Remote Desktop Auth Succeeded 1149 Process Exit 4689
Audit Logs Clearedz 1102 Scheduled Task Created 4698
Powershell Scriptblock contents 4104 Scheduled Task Deleted 4699
Scheduled Tasks
“SchedLgU.txt” Log: History of scheduled tasks that previously ran on the Powershell Scriptblock start 4105 Scheduled Task Updated 4702
system Powershell Scriptblock stop 4106 Service Start / Stop Control 7035
%systemroot%\tasks\SchedLgU.txt, Microsoft-Windows-
TaskScheduler%4Operational.evtx Network Logons 4624 Service Running / Stopped 7036
“.job” file path: %systemroot%\tasks\*.job Logon Using Explicit Credentials 4648 Service Installation 7045
Tools: Text editor for “SchedLgU.txt”, hex editor or “jobparser.py” for “.job” files
Windows Timestamps
$STD_INFORMATION Rename Local Volume Copy Access Modify Create Delete
Prefetch Move Move
Cached data for files that have previously executed on a system.
Location: %systemroot%\prefetch\*.pf Modified X X
Tools: WinPrefetchView, strings Accessed X X X

Created X X

Common A/V Log Locations Entry Modified X X X X

• McAfee: %allusersprofile%\McAfee\DesktopProtection\*.txt
• Symantec: %allusersprofile%\Symantec\Symantec $FN_NAME Rename Local Volume Copy Access Modify Create Delete
EndpointProtection\Logs\AVMan.log Move Move
• Trend Micro: Path listed at HKLM\SOFTWARE\TrendMicro\PC-
Modified X X X X X
cillinNTCorp\CurrentVersion\
• Sophos: C:\ProgramData\Sophos\Sophos Anti-Virus\logs\sav.txt Accessed X X X
• Windows Defender: C:\ProgramData\Microsoft\Windows Defender\
Created X X X
Support\*.log
Entry Modified X X X X X