THE CU
  • Home
  • Blogs
  • Offense
    • Pen Tester Training Program
    • Offensive Cheat Sheets >
      • Bash Commands
      • Network Enumeration
      • Web Enumeration
      • Windows Post Ex
      • Metasploit
      • Shells
      • PowerShell
    • Offensive Links
  • Defense
    • Junior SOC Analyst Roadmap
    • Intermediate SOC Analyst Training Program
    • Defense Links
    • RDP Analysis
  • Land A Job
    • Entry-Level InfoSec Jobs
    • Improve Resume
    • Find a Job
    • Interview Prep
    • Grow as a Practitioner
    • Get Experience
  • FAQS
  • Other
    • Certifications
    • Finance, Travel, and Mental HealthBooks
    • Finance Resources
    • Infosec Conferences
    • CTFs
    • Cyber Ranges
    • Twitter People to Follow
    • Podcasts
    • Books
    • Twitch Streamers

Forensic Cheat Sheet

Windows

Interactive Session

This section is for artifacts which are created when a user has an interactive desktop session, either sitting at the system or via a remote desktop session.
Run Box
RunMRU - Provides list of commands executed via the Run Box
  • Location: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Documents
File MRU/Place MRU - Provides list of office documents opened with path
  • Location: HKCU\Software\Microsoft\Office\<number>\<Office Product>\User MRU\<#profile ID>\<File MRU or Place MRU>
Windows Explorer
TypedPaths - Provides list of paths typed by user in the Windows Explorer
  • Location: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

OpenSaveMRU/LastVisitedMRU - Provides list of opened and saved files accessed via dialog boxes  
  •  Location:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\<OpenSaveMRU or LastVisitedMRU>

UserAssist - Provides list of programs executed by user via Explorer Window
  • Location: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

TypedURLs - Provides a list of URL's and Paths typed in the Windows Explorer or Internet Explorer address bars
  • ​Location: HKCU\Software\Microsoft\Internet Explorer\TypedURLs
Internet Explorer
​TypedURLs - Provides a list of URL's and Paths typed in the Windows Explorer or Internet Explorer address bars
  • ​Location: HKCU\Software\Microsoft\Internet Explorer\TypedURLs
Windows Search
ACMru - Contains list of recent search terms used in the Windows Search functionality; Four different subkeys exists for Internet Search, Windows Files, word or phrase search, and people/computer search
Location: HKCU\Software\Microsoft\Search Assistant\ACMru

AutoStart

Contains a list of artifacts related to anything that starts on its on such as a scheduled task or startup item.
On Start Up
Autorun - Contains paths to items that execute at system startup
  • Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

RunOnce - Contains list of programs that will run at startup only once
  • Locations:
    • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

Run Services - Contains a list of services that start automatically
  • Locations
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services
    • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServicesOnce
    • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServicesOnce
Winlogon - Programs executed when a user logins
  • Location: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit

Services
Services - Contains a list of all services, active and non-active
  • Location: HKLM\SYSTEM\CurrentControlSet\Services

Cmd.exe
Command Processor Autorun - Contains a list of commands that are executed every time cmd.exe runs
  • Locations
    • HKLM\SOFTWARE\Microsoft\Command Processor
    • HKCU\Software\Microsoft\Command Processor

Networking/Shares

This section contains artifacts related to networking and user shares.
Networked Drives
Map Network Drive MRU - Contains list of recently mapped network drives
  • Location: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

MountPoints2 - Contains list of all drives that have been mounted (both physical and network); requires cross correlation with MountedDevices
  • Location: HKCU\Software\Microsoft\Windows\Current\VersionExplorer\MountPoints2

USB

Contains list of arti
USB Storage
USBSTOR - Stores list of mounted USB devices
  • Location: HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

References

I didn't come up with any of this material. I pulled from the various resources below and organized them in a way that made it easier to reference for me. I appreciate all of there hardwork and urge you to check out there blogs.

Andreafortuna.org 
  • Windows registry in forensic analysis

Home      Blogs    Disclaimers    Copyright Notice   Cookie Policy ​
  • Home
  • Blogs
  • Offense
    • Pen Tester Training Program
    • Offensive Cheat Sheets >
      • Bash Commands
      • Network Enumeration
      • Web Enumeration
      • Windows Post Ex
      • Metasploit
      • Shells
      • PowerShell
    • Offensive Links
  • Defense
    • Junior SOC Analyst Roadmap
    • Intermediate SOC Analyst Training Program
    • Defense Links
    • RDP Analysis
  • Land A Job
    • Entry-Level InfoSec Jobs
    • Improve Resume
    • Find a Job
    • Interview Prep
    • Grow as a Practitioner
    • Get Experience
  • FAQS
  • Other
    • Certifications
    • Finance, Travel, and Mental HealthBooks
    • Finance Resources
    • Infosec Conferences
    • CTFs
    • Cyber Ranges
    • Twitter People to Follow
    • Podcasts
    • Books
    • Twitch Streamers