Windows Forensic Artifacts Cheat Sheet
Windows Forensic Artifacts Cheat Sheet
Windows Forensic Artifacts Cheat Sheet
• “Shim Cache” – Contains path and time metadata for files that ran on the system
HKLM\SYSTEM\ControlSet###\Control\Session Manager\AppCompatCache\AppCompatCache
Registry Hives • “Amcache” – Contains path, time, and SHA1 hash metadata for files that ran on the system
Hierarchical databases that store system, application, and user configuration “Amcache” Path: %Systemroot%\AppCompat\Programs\Amcache.hve
data • “Recent File Cache” – Contains file path for files that ran on the system
• System Hives: SYSTEM, SECURITY, SOFTWARE, SAM “Recent File Cache” Path: %Systemroot%\AppCompat\Programs\RecentFileCache.bcf
• System Hives Path: %Systemroot%\System32\config\ Tools: Mandiant ShimCacheParser.py, AppCompatCacheParser, AmcacheParser, rfcparse.py
• User Hives: NTUSER.DAT, USRCLASS.DAT
• User Hives Paths:
\Users\<user>\NTUSER.DAT,
Common Autorun Registry Keys
\Users\<user>\AppData\Local\Microsoft\Windows\USRCLASS.DAT
• Active Setup
Tools: Regripper, Regedit (built-in), Registry Explorer
HKLM\Software\Microsoft\Active Setup\Installed Components\%APPGUID%
• AppInit DLLs
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Registry Hive Mappings • Run Keys
HKLM\Software\Microsoft\Windows\CurrentVersion\Run, RunOnce
SYSTEM HKLM\System • Services and ServiceDLLs
HKLM\System\ControlSet###\Services\<Servicename>,<ImagePath>
SOFTWARE HKLM\Software
HKLM\System\ControlSet###\Services\<Servicename>\Parameters,<servicedll>
• Shell Extensions
SECURITY HKLM\Security
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions
SAM HKLM\SAM • UserInit
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
Created X X