Artefacts overview

Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: artefacts.help.

General

System information

Filesystem

Program execution

Files and folders access

Remote Access / Lateral movements

Network usage

Local persistence

For artefacts on local persistence and AutoStart Extensibility Point (ASEP), refer to:

Web browsers usage

The web browsers related artefacts can be split in the following categories:

  • User profile: web browsers, such as Chronium-based browsers and Firefox, implement a profile feature to store user's setttings, history, favourites, etc. The databases and files that store these information are usually stored under a user specific profile folder.

  • History: web browsing history and download history.

  • Cookies: web browsing cookies (session tokens).

  • Cache: cache of resources downloaded from accessed websites (images, text content, HTML, CSS, Javascript files, etc.).

  • Sessions: tabs and windows from a browsing session.

  • Settings: configuration settings.

These files are often stored under %LocalAppData% (%SystemDrive%:\Users\<USERNAME>\AppData\Local\) and %AppData% (%SystemDrive%:\Users\<USERNAME>\AppData\Roaming\).

Devices and USB activity

Windows devices terminology:

  • The vendor ID identifies a specific vendor, with a mapping available on devicehunt.com. The product ID (PID) identifies a product from that vendor.

  • The device ID or hardware ID is "a vendor-defined identification string that Windows uses to match a device to a driver package". The identifier references the vendor and product names as well as the revision version. Example for a DataTraveler_3 USB key by Kingston: Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP.

  • The instance ID is "a device identification string that distinguishes a device from other devices of the same type on a computer". It contains the device serial number, if supplied, and otherwise "some kind of location information". Example of an instance ID for a device that does not supply a serial number: 5&2eab04ab&0&1.

  • The device instance ID is "a system-supplied device identification string that uniquely identifies a device in the system". It is notably composed of the device's device ID and instance ID.

  • The container ID is "a system-supplied device identification string that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer". Starting with Windows 7, the Plug and Play (PnP) manager uses the container ID to group one or more device nodes (devnodes) that originated from a particular physical device.

  • The device interface class represents the type of the device (storage devices, USB devices, Bluetooth devices, etc.). Each device interface class is associated with a unique GUID, defined by Microsoft. The list of GUIDs by category of device can be found in the Microsoft documentation.

    • External physical storage GUID: {53f56307-b6bf-11d0-94f2-00a0c91efb8b}.

    • Logical volumes GUID: {53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.

Devices and USB activity forensics artefacts

The information below originates from tests on Windows 10 Pro - 19045.2965 and Windows 11 Pro - build 22621.1702 systems.

Anti-vius and Remote Administration/Access applications

The ruler-project references numerous anti-virus products (20+) and remote administration/access applications (15+) artifacts.

Other third-party applications

The SANS institute "Windows Third-Party Apps Forensics" poster can be consulted for a list of artefacts from a number of popular Windows third-party applications (also including anti-vius and remote administration/access applications).

Defense evasion

Others

TODO

  • IconCache.db

  • Hidden local account HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

  • Bitsadmin

    • EVTX: Microsoft-Windows-Bits-Client%4Operational.evtx 59

    • Persistent files: %SystemRoot%\ProgramData\Microsoft\Network\Downloader\ https://www.sans.org/white-papers/39195/

  • Syscache hive

  • Small memory dumps: hiberfil.sys, pagefile.sys, swapfile.sys

  • Registry LOG Files


References

https://nasbench.medium.com/a-primer-on-event-tracing-for-windows-etw-997725c082bf

https://blog.1234n6.com/2018/10/available-artifacts-evidence-of.html

SANS posters Windows forensics - https://www.sans.org/posters/windows-forensic-analysis/

https://www.scitepress.org/papers/2017/64167/64167.pdf

http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html

https://www.sans.org/blog/opensavemru-and-lastvisitedmru/

https://andreafortuna.org/2018/05/23/forensic-artifacts-evidences-of-program-execution-on-windows-systems/

https://dfir.ru/2020/04/08/bam-internals/

https://cellebrite.com/en/analyzing-program-execution-windows-artifacts/

https://blog.1234n6.com/2018/10/available-artifacts-evidence-of.html

https://crucialsecurity.wordpress.com/2011/03/14/typedurls-part-1/

https://www.crowdstrike.com/blog/how-to-employ-featureusage-for-windows-10-taskbar-forensics/

https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/

https://learn.microsoft.com/en-us/windows/win32/shell/app-registration

https://thinkdfir.com/2020/10/23/when-did-recentapps-go/

https://df-stream.com/2017/10/recentapps/

https://github.com/volatilityfoundation/community/blob/master/ThomasChopitea/autoruns.py

https://www.istrosec.com/blog/windows-10-timeline/

https://kacos2000.github.io/WindowsTimeline/WindowsTimeline.pdf

https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/

https://www.youtube.com/watch?v=rioVumJB0Fo

https://www.youtube.com/watch?v=qxPoKNmnuIQ

https://www.13cubed.com/downloads/windows_registry_cheat_sheet.pdf

https://www.hecfblog.com/2013/08/daily-blog-67-understanding-artifacts.html

https://learn.microsoft.com/en-us/windows-hardware/drivers/storage/supporting-mount-manager-requests-in-a-storage-class-driver

https://www.sans.org/blog/computer-forensic-guide-to-profiling-usb-device-thumbdrives-on-win7-vista-and-xp/

http://windowsir.blogspot.com/2013/04/plugin-emdmgmt.html

https://www.hecfblog.com/2013/08/daily-blog-66-understanding-artifacts.html

http://website.bcmsystem.com/orion/wp-content/uploads/2019/05/Microsoft-Windows-10-USB-Forensic-Artefacts.pdf

https://lifars.com/wp-content/uploads/2020/04/LIFARS-WhitePaper-Windows-ShellBags-Forensics-Investigative-Value-of-Windows-ShellBags.pdf

https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/

https://www.youtube.com/watch?v=rV8aErDj06A

https://www.netsurion.com/articles/following-a-users-logon-tracks-throughout-the-windows-domain

https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html

https://www.ntfs.com/

https://github.com/jschicht/Secure2Csv

https://www.forensicsmyanmar.com/2022/08/ntfs-index-attributes.html

https://dfir.ru/2021/01/10/standard_information-vs-file_name/

https://en.wikipedia.org/wiki/Windows_thumbnail_cache

https://thumbcacheviewer.github.io/

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2429795

https://www.13cubed.com/downloads/windows_browser_artifacts_cheat_sheet.pdf

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4776

https://mandiant.com/resources/blog/digging-up-the-past-windows-registry-forensics-revisited

https://www.mdpi.com/2673-6756/2/1/7

Last updated