-
Notifications
You must be signed in to change notification settings - Fork 82
Files
- C:\Users?\NTUSER.DAT
- SAM, SECURITY, SOFTWARE, SYSTEM files:
- C:\windows\system32\config\SAM
- C:\Windows\Repair\SAM
reg save hklm\sam c:\sam
User database. Pay special attention to unrecognized users and activity dates.
- Locked Accounts
- Last login time
- last password change time
- Account creation time
The NTUSER.DAT file in each user's directory is their personal registry hive. It's not included in the system registry files and must be loaded manually and investigated separately. Each value tracks the process name and full path.
Recently used applications and the application's most recently referenced file. Could reveal file structure on removed drives/devices as well as deleted files.
- NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
- NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU
- NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
- NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
- NTUSER.DAT\SOFTWARE\Microsoft\Windows\Current Version\Search\RecentApps
- NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
- NTUSER.DAT\SOFTWARE\Microsoft\Office\VERSION
- NTUSER.DAT\SOFTWARE\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU
Shellbags store information on folders whose view settings have been modified. Reveals the user's access patterns on the machine, specifically clicking on different folders.
- NTUSER.DAT\SOFTWARE\Microsoft\Windows\Shell\BagMRU
- NTUSER.DAT\SOFTWARE\Microsoft\Windows\Shell\Bags
All values are ROT-13 Encoded
- NTUSER.DAT\SOFTWARE\Microsoft\Windows\Currentversion\Explorer\UserAssist\
A history of word searches using the start menu bar. Entries are in unicode and listed in temporal order.
- NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
Devices are listed by GUID. Last modified time reflects last plugin time.
- NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
Tools such as VSSADMIN, MKLINK, Shadow Explorer and others allow mounting of shadow volumes exploration of their contents.
This can include Windows Defender, Symantec, McAfee, Sophos and many other vendors. Identify any detections around times of interest.
- C:\Windows\System32\winevt\Logs*.evtx
- C:\Windows\system32\logfiles\firewall\pfirewall.log
- Not set to log by default
- %ProgramData%\McAfee\Endpoint Security\Logs*.log
Determine first plugin ccurence based on serial number.
- C:\Windows\setupapi.log
- C:\Windows\inf\setupapi.dev.log
Thumbnails of pictures, office documents, and folders exist in a database called the thumbcache. Each user will have their own database based on the thumbnail sizes viewed by the user (small, medium, large, and extra-larger). These are created when a user switches a folder to thumbnail mode or views pictures via a slide show. Win7+ has 4 sizes for thumbnails and the files in the cache folder reflect this: - 32 -> small - 96 -> medium - 256 -> large - 1024 -> extra large The thumbscache will store the thumbnail copy of the picture based on the thumbnail size in the content of the equivalent database file.
- %USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer
A hidden thumb.db file is stored in each directory containing images. thumbs.db catalogs pictures in a folder and stores a copy as a thumbnail. The entries persist even if the pictures are deleted.
- *.thumbs.db
- %USERPROFILE%\Local Settings\ApplicationData\Microsoft\Outlook*.ost
- %USERPROFILE%\Local Settings\ApplicationData\Microsoft\Outlook*.pst
- %USERPROFILE%\AppData\Local\Microsoft\Outlook*.ost
- %USERPROFILE%\AppData\Local\Microsoft\Outlook*.pst
- *.pst
- *.ost
Review for evidence of callouts by the malware to a C2 or other staging site.
Internet Explorer 6-7
- %USERPROFILE%\LocalSettings\History\History.IE5*
Internet Explorer 8-9
- %USERPROFILE%\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\index.dat
Internet Explorer 10-11
- %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
Firefox v3-25
- %USERPROFILE%\AppData\Roaming\Mozilla\ Firefox\Profiles<random text>.default\downloads.sqlite
Firefox v26+
- %USERPROFILE%\AppData\Roaming\Mozilla\ Firefox\Profiles<random text>.default\places.sqlite Table:moz_annos
Chrome
- %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History*
Firefox on XP
- %USERPROFILE%\Application Data\Mozilla\ Firefox\Profiles<random text>.default\downloads.sqlite
FIrefox on Win7/8/10
- %USERPROFILE%\AppData\Roaming\Mozilla\ Firefox\Profiles<random text>.default\downloads.sqlite
Internet Explorer 8-9
- %USERPROFILE%\AppData\Roaming\Microsoft\Windows\ IEDownloadHistory*
Internet Explorer 10-11
- %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\ WebCacheV*.dat
Internet Explorer 6-8
- %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies*
Internet Explorer 10
- %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies*
Internet Explorer 11
- %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookies*
Firefox on Windows XP
- %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles<random text>.default\cookies.sqlite
Firefox on Windows 7/8/10
- %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles<randomtext>.default\cookies.sqlite
Chrome on Windows XP
- %USERPROFILE%\Local Settings\ApplicationData\Google\Chrome\User Data\Default\Local Storage
Chrome on Windows 7/8/10
- %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Local Storage*
Jump Lists are essentially shortcuts to items frequently used by programs. When right-clicking on an icon in the task bar, commonly accessed items show up. These are stored in jumplists in each user directory. This functionality includes recent tasks and media files. The data stored in the AutomaticDestinations folder will each have a unique file prepended with the AppID of the associated application.
- %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations*
See JumpList Explorer at https://ericzimmerman.github.io/#!index.md
- C:\Users<profile>\AppData\Local\ConnectedDevicePlatform\L.\ActivitiesCache.db
ProgramDataUpdater (a task associated with the Application Experience Service) uses the registry file Amcache.hve to store data during process creation, including SHA1 hashes. Review for any evidence of potential program execution. In some versions of Windows (for example version 7), AppCompatCache tracks last modification time of a program, and not last execution time.
-
C:\Windows\AppCompat\Programs\Amcache.hve
-
See RegRipper's *amcache- plugin at https://github.com/keydet89/RegRipper2.8
-
See AmcacheParser at https://ericzimmerman.github.io/#!index.md
Records 30 to 60 days of historical system performance:
- Which user launched which process
- Data upload/download per network and per process
- Application run times estimates
- Deleted/Uninstalled/External program tracking
Locations
- C:\Windows\System32\sru\SRUDB.dat
Resources
- Convert db to csv with https://github.com/libyal/libesedb
- Research paper at https://www.sciencedirect.com/science/article/pii/S1742287615000031
- %USERPROFILE%\Recent*.lnk
- %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent*.lnk
- %USERPROFILE%\AppData\Roaming\Microsoft\Office\Recent*.lnk
Windows Prefetch files are designed to speed up the application startup process by pre-loading code pages of commonly used applications. Can confirm application execution. Each .pf will include the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. The name includes the hash. Windows 8-10 will contain last 8 execution times.
- %windir%\Prefetch*.pf
- Limited to 128 files on XP and Win7
- Limited to 1024 files on Win8
- (exename)-(hash).pf
- Unusual allows and blocks
- C:\Documents and Settings<username>\Application\Skype<skype-name>*
- %USERPROFILE%\AppData\Roaming\Skype<skype-name>*
- Both inbound and outbound