Edit

Evidence Collection

Speed and integrity determine whether evidence survives—and whether your investigation succeeds.

Why Efficient Collection Matters

When an incident occurs, volatile evidence disappears fast. Running processes, network connections, and memory contents can be lost within minutes as systems shut down or attackers cover their tracks.

Efficient tooling solves three problems:

Challenge
Solution

Speed

Rapid triage before volatile data is lost

Integrity

Write-blocking, hashing, and structured output ensure evidence is defensible

Scale

Collect across multiple endpoints without overwhelming limited resources

Core Tooling

Tool
Primary Use

KAPE

Rapid triage collection, targeted artifact acquisition

Velociraptor

Scalable collection across endpoints, structured JSONL output

FTK Imager

Full forensic imaging with hash verification

PowerShell

Scripted automation for live response

Key Principles

  • Capture volatile data first — Memory, processes, and network connections before disk artifacts

  • Maintain integrity — Hash verification (MD5/SHA1/SHA256) and write-blocking preserve chain of custody

  • Automate collection — Reduces human error and ensures comprehensive artifact coverage

  • Document everything — Collection timestamps, methods, and personnel for legal admissibility

Business Alignment

Efficient evidence collection supports:

  • Regulatory compliance — GDPR, HIPAA, and others mandate rapid incident reporting and evidence preservation

  • Faster containment — Quick identification of attack vectors reduces downtime and financial impact

  • Legal defensibility — Properly collected evidence holds up in court and supports law enforcement engagement

The following sections provide practical guidance for conducting DFIR collections in Windows environments.

Acquire Triage Image Using Kape

Acquire Triage Data Using Velociraptor

Acquire Triage Data Using PowerShell

Acquire Triage Memory Image

Acquire Image Using FTK

System and user Information (via Registry)

Filesystem
Location
Tools or Commands

Operating System Version

SOFTWARE\Microsoft\Windows NT\CurrentVersion

Registry Explorer

System Boot & Autostart Programs

Run registries

Registry Explorer

Computer Name

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

Registry Explorer

System Last Shutdown Time

SYSTEM\CurrentControlSet\Control\Windows

Registry Explorer

Cloud Account Details

SAM\Domains\Account\Users\<RID>\InternetUserName

Registry Explorer

User Accounts

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Registry Explorer

Last Login and Password Change

SAM\Domains\Account\Users

Registry Explorer

Application Execution

Filesystem
Location
Tools or Commands

Shimcache

SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache

RegRipper

Amcache.hve

C:\Windows\AppCompat\Programs\Amcache.hve

Registry Explorer

UserAssist

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\

Registry Explorer

Win10 Timeline

C:\%USERPROFILE%\AppData\Local\ConnectedDevicesPlatform\L.Administrator\ActivitiesCache.db

WxTCmd.exe -f "ActivitiesCache.db" --csv D:\Hands-On

SRUM

C:\Windows\System32\sru\SRUDB.dat

srum-dump

BAM / DAM

SYSTEM\ControlSet001\Services\bam\State\UserSettings\

Registry Explorer

Prefetch, MFT, USNJ

C:\Windows\prefetch

PECmd.exe -d D:\Windows\Prefetch, MFT, USNJ--csv "D:\Hands-On" --csvf prefetch.csv or WinPrefetch, MFT, USNJ

Task Bar Feature Usage

NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage

Registry Explorer

Jumplist

C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

Jumplist Explorer

Last Visited MRU

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

RegRipper

CapabilityAccessManager

NTUSER\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore

Registry Explorer

Commands Executed in the Run Dialog

NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Registry Explorer

Services

System\CurrentControlSet\Services

Registry Explorer

File and Folder Opening

Filesystem
Location
Tools or Commands

Shellbag

NTUSER.dat\Software\Microsoft\Windows\Shell\Bags

Shellbags Explorer

Open/Save MRU

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU

Registry Explorer

Shortcut (LNK) Files

%USERPROFILE%\AppData\Roaming\Microsoft\Windows|Office\Recent\

Autopsy

Jumplist

C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

Jumplist Explorer

Recent Files

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Registry Explorer

Office Recent Files

NTUSER.DAT\Software\Microsoft\Office\<Version>\<AppName>

Registry Explorer

Office Trust Records

NTUSER\Software\Microsoft\Offi ce\<Version>\<AppName>\Security\Trusted Documents\TrustRecords

Registry Explorer

MS Word Reading Locations

NTUSER\Software\Microsoft\Offi ce\<Version>\Word\Reading Locations

Registry Explorer

Office OAlerts

OAlerts.evtx

Event log explorer

Last Visited MRU

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

Registry Explorer

Internet Explorer file:///

%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat

Text Editor

Deleted Items and File Existence

Filesystem
Location
Tools or Commands

Recycle Bin

C:\$Recycle.Bin

Recbin

Thumbcache

%USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer

Thumbcache Viewer

User Typed Paths

NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

Registry Explorer

Search – WordWheelQuery

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

Registry Explorer

Internet Explorer file:///

%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat

Text Editor

Windows Search Database

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb

LostPassword’s Search Index Examiner

Browser Activity

Filesystem
Location
Tools or Commands

Browser activity

C:\Users\%user%\AppData\Local\\Roaming\BrowserName

DBBrowser

Network Usage

Filesystem
Location
Tools or Commands

Network History

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network*

Registry Explorer

Timezone

SYSTEM\CurrentControlSet\Control\TimeZoneInformation

Registry Explorer

WLAN Event Log

Microsoft-Windows-WLAN-AutoConfig Operational.evtx

Event log viewer

Network Interfaces

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

Registry Explorer

SRUM

C:\Windows\System32\sru\SRUDB.dat

srum-dump

USB Usage

Filesystem
Location
Tools or Commands

USB Device Identification

SYSTEM\CurrentControlSet\Enum\*

Registry Explorer

Drive Letter and Volume Name

SOFTWARE\Microsoft\Windows Portable Devices\Devices and SYSTEM\MountedDevices

Registry Explorer

User Information

SYSTEM\MountedDevices and NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Registry Explorer

Connection Timestamps

SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_&Prod_\USBSerial

Registry Explorer

Volume Serial Number (VSN)

SOFTWARE\Microsoft\WindowsNT\CurrentVersion\EMDMgmt

Registry Explorer

Shortcut (LNK) Files

%USERPROFILE%\AppData\Roaming\Microsoft\Windows\\Office\Recent\

Autopsy

Event Logs

System.evtx

Event log viewer

PreviousInitial Triage & ResponseNextAcquire Triage Image Using KAPE

Last updated