Foresnsic Artifacts Rundown

Disk overview of Artifacts

Windows Registry:
Located on disk and in memory if the system is running. Located on disk if the system is offline
EVTX Logs:
Application/Function specific
SuperTimeline CSVs:
Disk image is run through FLS or log2timeline
Memory is run through Volatility timeliner
Combined and viewed through Timeline Explorer
Memory Analysis Outputs:
Volatility and its plugins
Rekall and its plugins
Fireeyes Redline
Artifacts that give evidence of execution:
Shimcache - Windows registry
Prefetch - Windows prefetch directory
Amcache - Windows registry
Windows User Assist (GUI Execution) - Windows registry
Bam - Windows registry
File Downloads:
Open/Save MRU - Windows registry
Email Attachments - Windows user directory
Browser Artifacts - Windows user app data
Downloads - Browser DBs and folders and Downloads folder

Amcache - evidence of execution

%%Run in elevates cmd-prompt %%
AmcacheParser.exe -f “C:\Windows\appcompat\Programs\Amcache.hve” –csv c:\temp\amcache

Prefetch - evidence of execution

Copy Prefetch Files to local machine in a folder with the target’s IP

FOR /F %i in (IPs.txt) do @mkdir .%i && copy /Y \%i\c$\Windows\prefetch*.pf .%i

Shimcache - evidence of execution

%%Run in elevates cmd-prompt BUT CAN ALSO BE RUN AS USER %% AppCompatCacheParser.exe –csv c:\temp\shimcache

Officially referred to as shortcut files
A link file has is own macb timestamps, embedded in the lnk file itself are the created modified access times of the originating file itself. These are the times as they existed on the source file when the link was created. If all the timestamps are the same it indicates that the user has only interacted once. Should the user interacted with the file again the modified and access timestamps will be updated. Could be any number of accesses you will only ever no its been access twice.