Windows Triage Artifacts

Windows.Triage.Collectors.Amcache

Arg Default Description
triageTable Type,Accessor,Glob\nAmcache,ntfs,C:\Windows\AppCompat\Programs\Amcache.hve\nAmcache transaction files,ntfs,C:\Windows\AppCompat\Programs\Amcache.hve.LOG*\n
View Artifact Source

Windows.Triage.Collectors.BCD

Boot Configuration Files.

View Artifact Source

Windows.Triage.Collectors.Chrome

Collect Chrome related artifacts.

Arg Default Description
triageTable Type,Accessor,Glob\nChrome Bookmarks,file,C:\Documents and Settings\\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks\nChrome Bookmarks,file,C:\Users\\AppData\Local\Google\Chrome\User Data\*\Bookmarks\nChrome Bookmarks,file,C:\Documents and Settings\\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks\nChrome Bookmarks,file,C:\Users\\AppData\Local\Google\Chrome\User Data\*\Bookmarks\nChrome Cookies,file,C:\Documents and Settings\\Local Settings\Application Data\Google\Chrome\User Data\*\Cookies\nChrome Cookies,file,C:\Users\\AppData\Local\Google\Chrome\User Data\*\Cookies\nChrome Current Session,ntfs,C:\Documents and Settings\\Local Settings\Application Data\Google\Chrome\User Data\*\Current Session\nChrome Current Session,ntfs,C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Current Session\nChrome Current Tab,file,C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Current Tab\nChrome Current Tab,file,C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Current Tab\nChrome Favicons,file,C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Favicons\nChrome Favicons,file,C:\Users\\AppData\Local\Google\Chrome\User Data\*\Favicons\nChrome History,file,C:\Documents and Settings\\Local Settings\Application Data\Google\Chrome\User Data\*\History\nChrome History,file,C:\Users\\AppData\Local\Google\Chrome\User Data\*\History\nChrome Last Session,file,C:\Documents and Settings\\Local Settings\Application Data\Google\Chrome\User Data\*\Last Session\nChrome Last Session,file,C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Last Session\nChrome Last Tabs,file,C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Last Tabs\nChrome Last Tabs,file,C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Last Tabs\nChrome Preferences,file,C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Preferences\nChrome Preferences,file,C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Preferences\nChrome Shortcuts,file,C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Shortcuts\nChrome Shortcuts,file,C:\Users\\AppData\Local\Google\Chrome\User Data\*\Shortcuts\nChrome Top Sites,file,C:\Documents and Settings\\Local Settings\Application Data\Google\Chrome\User Data\*\Top Sites\nChrome Top Sites,file,C:\Users\\AppData\Local\Google\Chrome\User Data\*\Top Sites\nChrome Visited Links,file,C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Visited Links\nChrome Visited Links,file,C:\Users\*\AppData\Local\Google\Chrome\User Data\*\Visited Links\nChrome Web Data,file,C:\Documents and Settings\*\Local Settings\Application Data\Google\Chrome\User Data\*\Web Data\nChrome Web Data,file,C:\Users\\AppData\Local\Google\Chrome\User Data\*\Web Data\n
View Artifact Source

Windows.Triage.Collectors.Edge

Collect Edge related artifacts.

Arg Default Description
triageTable Type,Accessor,Glob\nEdge folder,ntfs,C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_\*\nWebcacheV01.dat,ntfs,C:\Users\*\AppData\Local\Microsoft\Windows\WebCache\*\n
View Artifact Source

Windows.Triage.Collectors.EventLogs

Collect event log files.

Arg Default Description
EventLogGlobs C:\Windows\system32\config\*.evt,C:\Windows\system32\winevt\logs\*.evtx
View Artifact Source

Windows.Triage.Collectors.EventTraceLogs

Collect event trace log files.

View Artifact Source

Windows.Triage.Collectors.EvidenceOfExecution

View Artifact Source

Windows.Triage.Collectors.Firefox

Collect Firefox related artifacts.

Arg Default Description
baseLocations C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\,C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\ Globs for different possible locations of firefox profiles.
View Artifact Source

Windows.Triage.Collectors.InternetExplorer

Collect Firefox related artifacts.

Arg Default Description
triageTable Type,Accessor,Glob\nIndex.dat History,file,C:\Documents and Settings\\Local Settings\History\History.IE5\index.dat\nIndex.dat History,file,C:\Documents and Settings\*\Local Settings\History\History.IE5\*\index.dat\nIndex.dat temp internet files,file,C:\Documents and Settings\*\Local Settings\Temporary Internet Files\Content.IE5\index.dat\nIndex.dat cookies,file,C:\Documents and Settings\*\Cookies\index.dat\nIndex.dat UserData,file,C:\Documents and Settings\*\Application Data\Microsoft\Internet Explorer\UserData\index.dat\nIndex.dat Office XP,file,C:\Documents and Settings\*\Application Data\Microsoft\Office\Recent\index.dat\nIndex.dat Office,file,C:\Users\*\AppData\Roaming\Microsoft\Office\Recent\index.dat\nLocal Internet Explorer folder,ntfs,C:\Users\*\AppData\Local\Microsoft\Internet Explorer\*\nRoaming Internet Explorer folder,file,C:\Users\\AppData\Roaming\Microsoft\Internet Explorer\*\nIE 910 History,file,C:\Users\\AppData\Local\Microsoft\Windows\History\*\nIE 910 Cache,file,C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\*\nIE 910 Cookies,file,C:\Users\\AppData\Local\Microsoft\Windows\Cookies\*\nIE 910 Download History,file,C:\Users\\AppData\Local\Microsoft\Windows\IEDownloadHistory\*\nIE 11 Metadata,ntfs,C:\Users\\AppData\Local\Microsoft\Windows\WebCache\*\nIE 11 Cache,ntfs,C:\Users\\AppData\Local\Microsoft\Windows\INetCache\*\nIE 11 Cookies,file,C:\Users\\AppData\Local\Microsoft\Windows\INetCookies\*\n
View Artifact Source

Windows.Triage.Collectors.Jabber

Jabber.

View Artifact Source

Windows.Triage.Collectors.LnkFiles

Lnk files and jump lists.

View Artifact Source

Windows.Triage.Collectors.NTFSMetadata

View Artifact Source

Windows.Triage.Collectors.OutlookPST

Outlook PST and OST files.

View Artifact Source

Windows.Triage.Collectors.PowershellConsoleLogs

PowerShell Console Log File.

View Artifact Source

Windows.Triage.Collectors.RecycleBin

Collect contents of Recycle Bin.

View Artifact Source

Windows.Triage.Collectors.RegistryHives

System and user related Registry hives.

Arg Default Description
triageTable Type,Accessor,Glob\nntuser.dat registry hive,ntfs,C:\Documents and Settings\\ntuser.dat\nntuser.dat registry hive,ntfs,C:\Users\*\ntuser.dat\nntuser.dat registry transaction files,ntfs,C:\Documents and Settings\*\ntuser.dat.LOG\nntuser.dat registry transaction files,ntfs,C:\Users\\ntuser.dat.LOG\nUsrClass.dat registry hive,ntfs,C:\Users\\AppData\Local\Microsoft\Windows\UsrClass.dat\nUsrClass.dat registry transaction files,ntfs,C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG\nSAM registry transaction files,ntfs,C:\Windows\System32\config\SAM.LOG\nSECURITY registry transaction files,ntfs,C:\Windows\System32\config\SECURITY.LOG\nSYSTEM registry transaction files,ntfs,C:\Windows\System32\config\SYSTEM.LOG\nSAM registry hive,ntfs,C:\Windows\System32\config\SAM\nSECURITY registry hive,ntfs,C:\Windows\System32\config\SECURITY\nSOFTWARE registry hive,ntfs,C:\Windows\System32\config\SOFTWARE\nSYSTEM registry hive,ntfs,C:\Windows\System32\config\SYSTEM\nRegBack registry transaction files,ntfs,C:\Windows\System32\config\RegBack\*.LOG\nSAM registry hive (RegBack),ntfs,C:\Windows\System32\config\RegBack\SAM\nSECURITY registry hive (RegBack),ntfs,C:\Windows\System32\config\RegBack\SECURITY\nSOFTWARE registry hive (RegBack),ntfs,C:\Windows\System32\config\RegBack\SOFTWARE\nSYSTEM registry hive (RegBack),ntfs,C:\Windows\System32\config\RegBack\SYSTEM\nSystem Profile registry hive,ntfs,C:\Windows\System32\config\systemprofile\ntuser.dat\nSystem Profile registry transaction files,ntfs,C:\Windows\System32\config\systemprofile\ntuser.dat.LOG\nLocal Service registry hive,ntfs,C:\Windows\ServiceProfiles\LocalService\ntuser.dat\nLocal Service registry transaction files,ntfs,C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG\nNetwork Service registry hive,ntfs,C:\Windows\ServiceProfiles\NetworkService\ntuser.dat\nNetwork Service registry transaction files,ntfs,C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG\nSystem Restore Points Registry Hives (XP),ntfs,C:\System Volume Information\_restore\RP\snapshot\REGISTRY\n
View Artifact Source

Windows.Triage.Collectors.SRUM

System Resource Usage Monitor (SRUM) Data.

View Artifact Source

Windows.Triage.Collectors.ScheduledTasks

Scheduled tasks (*.job and XML).

View Artifact Source

Windows.Triage.Collectors.Skype

Skype.

View Artifact Source

Windows.Triage.Collectors.StartupInfo

StartupInfo XML Files.

View Artifact Source

Windows.Triage.Collectors.TeraCopy

TeraCopy log history.

View Artifact Source

Windows.Triage.Collectors.ThumbDB

Thumbcache DB.

View Artifact Source

Windows.Triage.Collectors.USBDeviceLogs

USB devices log files.

View Artifact Source

Windows.Triage.Collectors.WBEM

Web-Based Enterprise Management (WBEM).

View Artifact Source

Windows.Triage.Collectors.WindowsFirewall

Windows Firewall Logs.

View Artifact Source

Windows.Triage.Collectors.WindowsIndex

Windows Index Search.

View Artifact Source

Windows.Triage.ProcessMemory

Dump process memory and upload to the server

Arg Default Description
processRegex notepad
View Artifact Source

Windows.Triage.WebBrowsers

A high level artifact for selecting all browser related artifacts.

View Artifact Source

Triage.Collection.Upload

A Generic uploader used by triaging artifacts.

Arg Default Description
path This is the glob of the files we use.
type The type of files these are.
accessor file
View Artifact Source

Triage.Collection.UploadTable

A Generic uploader used by triaging artifacts. This is similar to Triage.Collection.Upload but uses a CSV table to drive it.

Arg Default Description
triageTable Type,Accessor,Glob\n A CSV table controlling upload. Must have the headers: Type, Accessor, Glob.
View Artifact Source

Windows.Forensics.Bam

The Background Activity Moderator (BAM) is a Windows service that Controls activity of background applications. This service exists in Windows 10 only after Fall Creators update – version 1709.

It provides full path of the executable file that was run on the system and last execution date/time

Arg Default Description
bamKeys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\*\*,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\*\*
View Artifact Source

Windows.Forensics.FilenameSearch

Did a specific file exist on this machine in the past or does it still exist on this machine?

This common question comes up frequently in cases of IP theft, discovery and other matters. One way to answer this question is to search the $MFT file for any references to the specific filename. If the filename is fairly unique then a positive hit on that name generally means the file was present.

Simply determining that a filename existed on an endpoint in the past is significant for some investigations.

This artifact applies a YARA search for a set of filenames of interest on the $MFT file. For any hit, the artifact then identified the MFT entry where the hit was found and attempts to resolve that to an actual filename.

Arg Default Description
yaraRule wide nocase:my secret file.txt
Device \\.\c:
View Artifact Source

Windows.Forensics.Prefetch

Windows keeps a cache of prefetch files. When an executable is run, the system records properties about the executable to make it faster to run next time. By parsing this information we are able to determine when binaries are run in the past. On Windows10 we can see the last 8 execution times.

Arg Default Description
prefetchGlobs C:\Windows\Prefetch\*.pf
View Artifact Source

Windows.Forensics.RecentApps

GUI Program execution launched on the Win10 system is tracked in the RecentApps key

Arg Default Description
UserFilter If specified we filter by this user ID.
ExecutionTimeAfter If specified only show executions after this time.
RecentAppsKey Software\Microsoft\Windows\CurrentVersion\Search\RecentApps\*
UserHomes C:\Users\*\NTUSER.DAT
View Artifact Source

Windows.Forensics.Timeline

Win10 records recently used applications and files in a “timeline” accessible via the “WIN+TAB” key. The data is recorded in a SQLite database.

Arg Default Description
UserFilter If specified we filter by this user ID.
ExecutionTimeAfter If specified only show executions after this time.
Win10TimelineGlob C:\Users\\AppData\Local\ConnectedDevicesPlatform\L.\ActivitiesCache.db
View Artifact Source