# Windows Forensic Artifacts – Investigation Workflow & Cheatsheet ### 🎯 Master Investigation Workflow ### Phase 1: Evidence Identification & Scoping ```bash 1. Define Investigation Parameters ├─ Incident type (malware, data theft, insider threat, etc.) ├─ Timeline of interest ├─ Systems and users involved └─ Initial indicators of compromise (IOCs) 2. Determine Artifact Priority ├─ Volatile artifacts (Prefetch, memory) ├─ Execution evidence ├─ User activity evidence ├─ Persistence mechanisms └─ File system artifacts ``` ### Phase 2: Systematic Artifact Collection #### **Collection Order (by Volatility & Importance)** ```bash Priority 1: VOLATILE DATA ├─ Prefetch files (overwritten at 1024 limit) └─ Live registry (if live response) Priority 2: EXECUTION EVIDENCE ├─ Amcache.hve ├─ ShimCache (SYSTEM hive) ├─ UserAssist (NTUSER.DAT) ├─ Jump Lists └─ LNK Files Priority 3: USER ACTIVITY ├─ ShellBags (USRCLASS.DAT, NTUSER.DAT) ├─ Recent Documents (RecentDocs registry) ├─ Last Visited MRU └─ Recycle Bin Priority 4: FILE SYSTEM ARTIFACTS ├─ $MFT ├─ $J (USN Journal) ├─ $LogFile └─ Alternate Data Streams Priority 5: PERSISTENCE └─ AutoStart Extension Points (ASEPs) ``` ### Phase 3: Artifact Analysis Framework *** ### 📂 1. EXECUTION EVIDENCE ARTIFACTS ### 🔹 Prefetch Analysis **Purpose:** Prove program execution, identify execution patterns {% code overflow="wrap" %} ```bash INVESTIGATION STEPS: 1. Extract Prefetch directory └─ C:\Windows\Prefetch 2. Check if Prefetch is enabled └─ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters └─ Value 0=Disabled, 3=Enabled 3. Parse all .pf files ├─ Tool: PECmd.exe └─ Output: CSV for timeline analysis 4. Analyze for: ├─ First execution time (creation - 10 seconds) ├─ Last execution time (modification - 10 seconds) ├─ Last 8 execution times (Win10/11) ├─ Total run count ├─ Files and directories referenced └─ Volume information 5. Look for RED FLAGS: ├─ Multiple prefetch files for same executable name ├─ Execution from unusual locations ├─ Known malicious tool names └─ Execution from removable media paths ``` {% endcode %} **Commands:** {% code overflow="wrap" %} ```bash Single file analysis .\PECmd.exe -f C:\Windows\Prefetch\CMD.EXE-8E75B5BB.pf # Directory analysis with CSV output .\PECmd.exe -d C:\Windows\Prefetch\ -q --csv G:\Output --csvf prefetch.csv # Include VSS and highlight keywords .\PECmd.exe -d C:\Windows\Prefetch\ -q --csv G:\Output --csvf prefetch.csv --vss --mp -k "system32, downloads, fonts" ``` {% endcode %} **Key Metadata:** * Executable name * 8-character hash of executable path * Creation/modification/access timestamps * Run count (number of executions) * Last 8 run times * Files and directories referenced * Volume information ### 🔹 Amcache Analysis **Purpose:** Identify program presence, validate with SHA1 hashes {% code overflow="wrap" %} ```bash INVESTIGATION STEPS: 1. Extract Amcache.hve └─ C:\Windows\AppCompat\Programs\Amcache.hve └─ Include .LOG1 and .LOG2 files 2. Parse with AmcacheParser ├─ Output to CSV └─ Use -i flag for includes 3. Extract key information: ├─ Full file paths ├─ File sizes ├─ File modification times ├─ Compilation times ├─ Publisher metadata └─ SHA1 hashes (KEY VALUE!) 4. Cross-reference SHA1 hashes: ├─ Known good (Microsoft files) ├─ Known bad (malware databases) └─ Unknown (requires further investigation) 5. Correlate with other execution artifacts └─ Amcache presence + Prefetch = High confidence execution ``` {% endcode %} **Commands:** {% code overflow="wrap" %} ````bash # Live system analysis .\AmcacheParser.exe -f "C:\Windows\appcompat\Programs\Amcache.hve" -i --csv C:\Output # Forensic image analysis .\AmcacheParser.exe -f "C:\User\username\Desktop\amcache\Amcache.hve" -i --csv C:\Output # With blacklist filtering .\AmcacheParser.exe -f c:\Windows\AppCompat\Programs\Amcache.hve -b G:\Blacklist.txt --csv G:\Output ``` **⚠️ Important Note:** Amcache indicates PRESENCE, not proven EXECUTION ```` {% endcode %} ### 🔹 ShimCache (AppCompatCache) Analysis **Purpose:** Historical program presence on system ```bash INVESTIGATION STEPS: 1. Extract SYSTEM registry hive └─ C:\Windows\System32\config\SYSTEM 2. Determine current ControlSet └─ SYSTEM\Select\Current 3. Parse AppCompatCache └─ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache 4. Extract information: ├─ Full executable paths ├─ Last modification times ├─ File sizes └─ Execution flag (Win7/8 only) 5. Analyze patterns: ├─ Up to 1,024 entries ├─ Most recent on top ├─ Written only on shutdown └─ Deleted files may still appear 6. Investigation use cases: ├─ Identify deleted malware ├─ Track tool presence └─ Build historical timeline ``` **Commands:** ````bash # Parse SYSTEM hive .\AppCompatCacheParser.exe -f C:\Windows\System32\config\SYSTEM --csv G:\Output # Live system .\AppCompatCacheParser.exe --csv C:\Output --csvf shimcache.csv ``` **⚠️ Critical Note:** Win10+ ShimCache does NOT prove execution, only presence! ```` ### 🔹 UserAssist Analysis **Purpose:** Track GUI-based program launches ```bash INVESTIGATION STEPS: 1. Extract NTUSER.DAT hive └─ C:\Users\[Username]\NTUSER.DAT 2. Navigate to UserAssist keys └─ Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist 3. Identify GUID subkeys: ├─ CEBFF5CD = Executable File Execution └─ F4E57C4B = Shortcut File Execution 4. Decode ROT-13 values ├─ Use Registry Explorer (auto-decodes) └─ Or manually decode with CyberChef 5. Extract metadata: ├─ Application path ├─ Last run time ├─ Run count ├─ Focus time (time application had focus) └─ Focus count 6. Analyze for: ├─ Unusual application launches ├─ Portable applications └─ Tools run from removable media ``` **Commands:** {% code overflow="wrap" %} ```bash # Use Registry Explorer (Zimmerman Tools) RegistryExplorer.exe # File > Live System > NTUSER.DAT # Navigate: ROOT > Software > Microsoft > Windows > CurrentVersion > Explorer > UserAssist # Alternative: RegRipper rr.exe -r NTUSER.DAT -p userassist ``` {% endcode %} **Key Value:** Tracks GUI program execution with timestamps and frequency ## 📂 2. USER ACTIVITY ARTIFACTS ### 🔹 Jump Lists Analysis **Purpose:** Identify applications used and files accessed {% code overflow="wrap" %} ```bash INVESTIGATION STEPS: 1. Locate Jump List files ├─ AutomaticDestinations: C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations └─ CustomDestinations: C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations 2. Identify application by AppID └─ Reference: https://dfir.to/EZJumpList 3. Parse Jump List files ├─ AutomaticDestinations = OLE format └─ CustomDestinations = MS-SHLLINK format 4. Extract metadata: ├─ Files opened by application ├─ File paths and locations ├─ Access timestamps ├─ Creation time = First item added └─ Modification time = Last item added 5. Analyze for: ├─ Recent document access ├─ Network share connections ├─ Removable media usage └─ Suspicious file locations ``` {% endcode %} **Commands:** {% code overflow="wrap" %} ```bash # Single file analysis JLECmd.exe -f C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\.automaticDestinations-ms --csv G:\Output -q # All automatic destinations JLECmd.exe -d C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations --csv G:\Output -q # All custom destinations JLECmd.exe -d C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations --csv G:\Output -q ``` {% endcode %} ### 🔹 LNK (Shortcut) Files Analysis **Purpose:** Track file and folder access by users ```bash INVESTIGATION STEPS: 1. Locate LNK files ├─ Recent: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\ └─ Office Recent: %USERPROFILE%\AppData\Roaming\Microsoft\Office\Recent\ 2. Parse LNK files └─ Tool: LECmd.exe 3. Extract metadata: ├─ Target file path and size ├─ Target file timestamps (MAC times) ├─ LNK creation time = First opened ├─ LNK modification time = Last opened ├─ Volume information (name, type, serial) ├─ Network share information ├─ System name └─ Sometimes MAC address 4. Analyze for: ├─ Files opened from USB devices ├─ Network share access ├─ Files that no longer exist └─ Recently accessed documents 5. Note behaviors: ├─ LNK persists even if target deleted ├─ Win10+ includes file extensions └─ Only latest open recorded per filename ``` **Commands:** {% code overflow="wrap" %} ```bash # Single file LECmd.exe -f C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\file.lnk # Directory analysis LECmd.exe -d C:\Users\\AppData\Roaming\Microsoft\Windows\Recent --csv G:\Output --html G:\Output -q # All subdirectories LECmd.exe -d C:\Users\\AppData\Roaming\Microsoft\Windows\Recent --all --csv G:\Output # View with command line dir filename.xxx.lnk dir /tc filename.xxx.lnk # Show creation time ``` {% endcode %} ### 🔹 ShellBags Analysis **Purpose:** Track folder access and view settings ```bash INVESTIGATION STEPS: 1. Locate ShellBags registry keys Primary: ├─ USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags └─ USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Residual: ├─ NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU └─ NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags 2. Parse ShellBags └─ Tools: SBECmd.exe, ShellBagsExplorer.exe 3. Extract information: ├─ Folders accessed by user ├─ Folder view settings ├─ First interaction time ├─ Last interaction time ├─ Folder timestamps (archived) └─ Exotic items (mobile devices, control panel, ZIP archives) 4. Investigate for: ├─ Local folder navigation ├─ Removable device access ├─ Network share browsing ├─ Deleted folder evidence └─ Hidden directory access ``` **Commands:** {% code overflow="wrap" %} ```bash # ShellBags Explorer (GUI) ShellBagsExplorer.exe # SBECmd (Command line) SBECmd.exe -d C:\Users\ --csv G:\Output # Live system SBECmd.exe -l --csv G:\Output ``` {% endcode %} **Forensic Value:** Proves user navigated to specific folders, even if deleted ### 🔹 Recycle Bin Analysis **Purpose:** Identify deleted files and deletion timeline ```bash INVESTIGATION STEPS: 1. Navigate to Recycle Bin └─ C:\$Recycle.Bin 2. Identify user SID folders └─ Each user has separate SID subfolder └─ Map SID to username via Registry 3. Understand file naming: ├─ $I###### = Metadata (original name, deletion time) └─ $R###### = Actual deleted file contents 4. Extract information: ├─ Original filename ├─ Original path ├─ File size ├─ Deletion date/time └─ File contents (from $R file) 5. Manual examination: └─ Use command line to view hidden files 6. Parse with tools for bulk analysis ``` **Commands:** ```bash # Manual browsing dir /a cd $Recycle.Bin dir /a cd [SID-of-interest] dir type $I******.png # View metadata copy $R******.png C:\Users\username\Desktop\recovered.png # Parse with RBCmd RBCmd.exe -f C:\$Recycle.Bin\[SID]\$I[file].png # Parse entire Recycle Bin RBCmd.exe -d C:\$Recycle.Bin\ -q --csv C:\Output --csvf recycle-bin.csv ``` ### 🔹 Last Visited MRU Analysis **Purpose:** Track applications and last file locations accessed {% code overflow="wrap" %} ```bash INVESTIGATION STEPS: 1. Locate MRU registry keys ├─ LastVisitedPidlMRU: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU ├─ RecentDocs: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs ├─ OpenSavePidlMRU: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU └─ RunMRU: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU 2. Parse registry hives └─ Use Registry Explorer or Regedit 3. Extract information: ├─ Applications executed ├─ Last directory accessed by application ├─ Files opened via Open/Save dialogs └─ Commands run via Windows Run utility 4. Analyze for: ├─ Unusual directory access ├─ Hidden folder interactions └─ Application usage patterns ``` {% endcode %} **Commands:** {% code overflow="wrap" %} ```bash # Use Registry Explorer RegistryExplorer.exe # Navigate to keys listed above # Or use regedit on live system regedit.exe # Navigate: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32 ``` {% endcode %} ## 📂 3. FILE SYSTEM ARTIFACTS ### 🔹 Master File Table ($MFT) Analysis **Purpose:** Comprehensive file system timeline and metadata ```bash INVESTIGATION STEPS: 1. Extract $MFT └─ Located at root of NTFS volume └─ Use FTK Imager or similar 2. Parse $MFT └─ Tool: MFTECmd.exe 3. Extract metadata for each file: ├─ File name and path ├─ File type and size ├─ Created timestamp (Birth) ├─ Modified timestamp ├─ Accessed timestamp ├─ MFT Record Modified timestamp ├─ File attributes └─ Parent directory references 4. Use for: ├─ Complete file system timeline ├─ Deleted file recovery ├─ File existence verification └─ Timestamp analysis ``` **Commands:** ```bash # Parse MFT with CSV output MFTECmd.exe -f "C:\Temp\$MFT" --csv "C:\Output" --csvf mft.csv # Parse with JSON output MFTECmd.exe -f "C:\Temp\$MFT" --json "C:\Output" # Body file format (for timeline) MFTECmd.exe -f "C:\Temp\$MFT" --body "C:\Output" --bdl c ``` ### 🔹 USN Journal ($J) Analysis **Purpose:** Track file system changes and operations ```bash INVESTIGATION STEPS: 1. Extract $J data stream └─ NTFS\$Extend\$UsnJrnl\$J 2. Parse USN Journal └─ Tool: MFTECmd.exe or USN Journal Parser 3. Extract change records: ├─ Date/time of change ├─ Reason for change (create, delete, rename, modify) ├─ MFT entry number ├─ MFT parent entry ├─ File name └─ Sequence of operations 4. Investigate for: ├─ File creation events ├─ File deletion events ├─ File rename operations ├─ Anti-forensic activity └─ Attacker movement patterns ``` **Commands:** ```bash # Parse USN Journal MFTECmd.exe -f "C:\Temp\$J" --csv "C:\Output" --csvf usnjrnl.csv # Decode specific entries MFTECmd.exe -f "C:\Temp\$J" --de 5-5 ``` **Key Value:** Shows file operations even after files are deleted ### 🔹 $LogFile Analysis **Purpose:** NTFS transaction log for all metadata operations ```bash INVESTIGATION STEPS: 1. Extract $LogFile └─ Located at NTFS root, MFT entry #2 2. Parse $LogFile └─ Tools: NTFS_Log_Tracker.exe, LogFileParser.exe 3. Extract transaction records: ├─ File creation ├─ File deletion ├─ File renaming ├─ File copying └─ Metadata modifications 4. Use for: ├─ Recent file activity (short retention) ├─ Redo/undo operations analysis └─ Correlation with other artifacts ``` **Commands:** ```bash # Parse with NTFS Log Tracker NTFS_Log_Tracker.exe -f C:\Temp\$LogFile -o C:\Output # Parse with LogFileParser LogFileParser.exe -f C:\Temp\$LogFile -o C:\Output ``` ### 🔹 Alternate Data Streams (ADS) Analysis **Purpose:** Detect hidden data within files ```bash INVESTIGATION STEPS: 1. Scan for ADS └─ NTFS attribute, no specific path 2. Use detection tools: ├─ streams.exe (Sysinternals) ├─ AlternateStreamView.exe ├─ PowerShell Get-Item └─ cmd.exe dir /R 3. Investigate suspicious streams: ├─ Zone.Identifier (normal - tracks download source) ├─ Custom streams (potential hiding) └─ Executable streams (malware) 4. Extract and analyze contents: └─ Use notepad, PowerShell, or hex editor 5. Look for: ├─ Hidden executables ├─ Hacking toolkits ├─ Concealed documents └─ Malicious scripts ``` **Commands:** ```bash # Sysinternals Streams streams.exe -s C:\path\to\directory # PowerShell Get-Item C:\path\to\file -Stream * Get-Content C:\path\to\file -Stream [stream-name] # Command Prompt dir /R C:\path\to\directory # AlternateStreamView (GUI) AlternateStreamView.exe ``` ## 📂 4. PERSISTENCE MECHANISMS ### 🔹 AutoStart Extension Points (ASEP) Analysis **Purpose:** Identify malware persistence locations ```bash INVESTIGATION STEPS: 1. Understand persistence └─ Malware ability to survive reboots 2. Check primary AutoStart locations: Registry Keys: ├─ HKCU\Software\Microsoft\Windows\CurrentVersion\Run ├─ HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce ├─ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ├─ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ├─ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run └─ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit File System: └─ %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 3. Check additional persistence methods: ├─ Scheduled Tasks ├─ Windows Services ├─ Service Creation/Replacement ├─ DLL Search Order Hijacking ├─ Trojaned System Libraries ├─ WMI Event Subscriptions ├─ Local Group Policy └─ MS Office Add-Ins 4. Parse with tools for comprehensive coverage 5. Compare across systems (stacking) └─ Identify unique/suspicious entries ``` **Commands:** {% code overflow="wrap" %} ```bash // Some code# KAPE collection .\kape.exe --tsource C: --tdest C:\Output\ASEP-tout --tflush --target RegistryHives --mdest C:\Output\ASEP-mout --mflush --module RECmd_RegistryASEPs # Autoruns (Sysinternals) .\autorunsc64.exe -accepteula -a * -s -h -c > autoruns-output.csv # Flags: -a * (all locations), -s (verify signatures), -h (hashes), -c (CSV) # RECmd (Registry Explorer) RECmd.exe --bn BatchExamples\RegistryASEPs.reb -d D:\Triage --nl --csv D:\Output # Analyze with Timeline Explorer TimelineExplorer.exe autoruns-output.csv ``` {% endcode %} **Investigation Focus:** * Services with suspicious image paths (not in System32) * Unsigned executables in autostart locations * Recent registry LastWrite times during attack window * Base64 encoded commands in registry values * Scripts in startup folders ## 🔍 CROSS-ARTIFACT ANALYSIS MATRIX #### Evidence Correlation Table | **Investigation Question** | **Primary Artifacts** | **Secondary Artifacts** | **Validation Method** | **Confidence Level** | | -------------------------------------- | ------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | -------------------- | | Was program executed? |

• Prefetch
• UserAssist (GUI only)

|

• Jump Lists
• Amcache
• LNK files

|

Prefetch shows run count + last 8 times
UserAssist shows GUI launches

| HIGH ✅ | | When was program first run? |

• Prefetch creation time (-10s)
• UserAssist first run

|

• Amcache compilation time
• ShimCache first appearance
• $MFT file creation

|

Cross-reference timestamps across artifacts
VSS for historical validation

| HIGH ✅ | | When was program last run? |

• Prefetch modified time (-10s)
• UserAssist last run time

|

• Jump Lists modification
• LNK file modification
• $J recent operations

|

Compare last execution timestamps
Check for temporal consistency

| HIGH ✅ | | How many times was program executed? |

• Prefetch run count
• UserAssist run count

|

• Jump Lists entry count
• Multiple LNK files

|

Run counts should correlate
Note: GUI vs CLI differences

| HIGH ✅ | | What files did program access? |

• Prefetch file list
• Jump Lists (by AppID)

|

• LNK files
• RecentDocs registry
• $J file operations

|

Map files to applications
Timeline correlation

| MEDIUM-HIGH ✓ | | What folders did program access? | • Prefetch directory list |

• ShellBags
• LNK files
• OpenSavePidlMRU

|

Cross-reference paths
Check for hidden directories

| MEDIUM ✓ | | What is program's SHA1 hash? | • Amcache (ONLY SOURCE) | None (unique to Amcache) |

Extract from Amcache
Verify against VirusTotal
Compare to known malware

| HIGH ✅ | | Did program exist on system? |

• ShimCache
• Amcache

|

• $MFT
• Prefetch
• $J

|

ShimCache proves presence
$MFT shows file existence
Note: Win10+ ShimCache limitations

| MEDIUM-HIGH ✓ | | Was file deleted? |

• Recycle Bin (I/I/ I/R files)
• $J USN records

|

• $MFT (deleted entry flag)
• $LogFile
• ShimCache (may persist)

|

$I file shows deletion time
$J shows delete operation
$MFT shows deleted flag

| HIGH ✅ | | When was file deleted? |

• Recycle Bin $I metadata
• $J delete timestamp

|

• $LogFile transaction
• $MFT timestamp analysis

|

Parse $I file for deletion time
Correlate with $J entries

| HIGH ✅ | | Was file renamed or moved? |

• $J rename operations
• $LogFile transactions

|

• $MFT parent directory changes
• ShellBags path history

|

$J shows old and new names
Sequence of operations in $LogFile

| MEDIUM-HIGH ✓ | | What folders did user browse? | • ShellBags |

• LNK files
• Jump Lists
• LastVisitedPidlMRU

|

ShellBags proves navigation
LNK files show file access
MRU shows application paths

| HIGH ✅ | | Was USB device connected? |

• ShellBags (device paths)
• LNK files (volume info)

|

• Registry USBSTOR keys
• Prefetch (volume data)
• Jump Lists

|

Volume serial numbers match
Drive letter assignments
Timestamps correlate

| HIGH ✅ | | When was USB first connected? |

• Registry USBSTOR key creation
• ShellBags first access

|

• LNK file with volume serial
• Prefetch with volume info

|

Registry key timestamp
First ShellBag entry for device

| HIGH ✅ | | When was USB last connected? |

• ShellBags last access
• LNK file timestamps

|

• Registry USBSTOR last write
• Prefetch last run (if program executed)

|

Most recent timestamp for volume serial
Last file access from device

| HIGH ✅ | | What files were accessed from USB? |

• LNK files (volume serial match)
• Jump Lists

|

• Prefetch (if executables run)
• RecentDocs
• ShellBags

|

Filter artifacts by volume serial
Match drive letters to volume info

| HIGH ✅ | | Were programs executed from USB? |

• Prefetch (volume information)
• UserAssist

|

• Jump Lists
• LNK files

|

Prefetch shows source volume
Cross-reference with USB timeline

| HIGH ✅ | | What files were opened by user? |

• Jump Lists (by application)
• LNK files

|

• RecentDocs registry
• LastVisitedPidlMRU
• Office Recent files

|

Application-specific tracking
Timeline of document access

| HIGH ✅ | | What applications did user run? |

• Prefetch
• UserAssist

|

• Jump Lists
• Amcache
• ShimCache

|

Multiple sources confirm usage
Frequency and timing data

| HIGH ✅ | | Is malware persistent? |

• ASEP registry keys
• Startup folder contents

|

• Scheduled Tasks
• Windows Services
• WMI subscriptions

|

Check all autostart locations
Verify signatures
Compare across systems (stacking)

| HIGH ✅ | | When was persistence established? |

• Registry key LastWrite times
• Scheduled Task creation time

|

• File creation time (startup folder)
• Service creation time
• $MFT timestamp

|

LastWrite time of Run keys
Task file creation timestamp

| HIGH ✅ | | What persistence mechanisms exist? |

• Autoruns comprehensive scan
• ASEP registry analysis

|

• Manual service review
• WMI subscription query
• DLL hijacking check

|

Enumerate all autostart points
Identify unsigned/unusual entries

| HIGH ✅ | | Is data hidden in files? |

• ADS scan (streams.exe)
• AlternateStreamView

|

• PowerShell Get-Item
• dir /R command

|

Scan for non-Zone.Identifier streams
Examine suspicious streams

| HIGH ✅ | | Were files archived/compressed? |

• Prefetch (7zip, WinRAR, WinZip)
• Jump Lists (archive tools)

|

• $J (.zip, .rar, .7z creation)
• UserAssist
• $MFT

|

Archive tool execution evidence
Archive file creation events

| HIGH ✅ | | Were files uploaded/exfiltrated? |

• Prefetch (FTP, cloud tools)
• Jump Lists (upload apps)

|

• Browser artifacts
• Network share access
• $J file operations

|

Upload tool execution
Large file movements
Network connections

| MEDIUM-HIGH ✓ | | Were files staged for exfiltration? |

• ShellBags (new directories)
• $J (directory creation)

|

• $MFT (staging folder)
• Jump Lists (mass file access)
• LNK files

|

New directory creation
Mass file copy operations
Temporal clustering

| MEDIUM-HIGH ✓ | | What network shares were accessed? |

• ShellBags (UNC paths)
• LNK files (network info)

|

• Jump Lists
• LastVisitedPidlMRU
• RecentDocs

|

UNC path evidence
Network share information
Remote file access

| HIGH ✅ | | Were system files modified? |

• $LogFile transactions
• $J operations

|

• $MFT timestamps
• ShimCache updates
• Prefetch for system tools

|

System file modification events
Suspicious system tool execution

| HIGH ✅ | | Were logs cleared? |

• Prefetch (wevtutil.exe)
• $J (log file deletions)

|

• Event log timestamps
• UserAssist
• ShimCache

|

Log clearing tool execution
Event log file operations
Suspicious gaps in logs

| HIGH ✅ | | Were anti-forensic tools used? |

• Prefetch (CCleaner, BleachBit, etc.)
• UserAssist

|

• Jump Lists
• Amcache SHA1
• ShimCache

|

Tool execution evidence
Timeline of cleaning activity
Hash matching

| HIGH ✅ | | Was remote access tool used? |

• Prefetch (RDP, VNC, TeamViewer)
• Amcache

|

• ASEP (persistence check)
• Services
• Network artifacts

|

Remote tool execution
Persistence mechanisms
Connection timestamps

| HIGH ✅ | | Were credentials dumped? |

• Prefetch (mimikatz, pwdump)
• Amcache SHA1

|

• $J (SAM/SYSTEM access)
• Jump Lists
• File access to credential stores

|

Credential dumping tool execution
Access to credential files
Hash identification

| HIGH ✅ | | Was lateral movement performed? |

• Prefetch (psexec, wmic)
• UserAssist

|

• Scheduled Tasks (remote)
• Services (remote creation)
• Network artifacts

|

Lateral movement tool execution
Remote task/service creation
Timeline correlation

| HIGH ✅ | | Were reconnaissance commands run? |

• Prefetch (cmd, powershell, wmic)
• UserAssist

|

• Jump Lists
• RecentDocs
• ShimCache

|

System enumeration tools
Command line execution
Unusual tool combinations

| MEDIUM-HIGH ✓ | | Was malware downloaded? |

• Browser artifacts
• Prefetch (download locations)

|

• $J (file creation in Downloads)
• Zone.Identifier ADS
• LNK files

|

Download timestamp
Zone.Identifier shows source
File creation in Downloads

| HIGH ✅ | | Was file opened from email attachment? |

• Jump Lists (email client)
• LNK files

|

• Zone.Identifier ADS
• Outlook artifacts
• Temp folder activity

|

Email client file access
Temp folder execution
Zone information

| MEDIUM-HIGH ✓ | | Did program crash or fail? |

• Prefetch (may exist without success)
• Event logs

|

• $LogFile errors
• Application crash dumps
• Windows Error Reporting

|

Prefetch created ≠ successful execution
Error events correlate

| MEDIUM ⚠️ | | What was timeline of attack? | • ALL ARTIFACTS COMBINED |

• Super timeline creation
• VSS for historical depth

|

Build comprehensive timeline
Correlate all timestamps
Identify phases of attack

| HIGH ✅ | ### 🎯 Artifact Combination Strategies ### Maximum Confidence Combinations **Execution Proof (Highest Confidence):** ```bash Prefetch (run count + times) + Amcache (SHA1 hash match) + UserAssist (GUI execution) + Jump Lists (files accessed) = 95%+ confidence of execution ``` **File Access Proof:** ```bash LNK files (target path + volume info) + Jump Lists (application association) + ShellBags (folder navigation) + RecentDocs (document tracking) = 90%+ confidence of access ``` **USB Device Usage:** ```bash ShellBags (device path + timestamps) + LNK files (volume serial number) + Registry USBSTOR (device info) + Prefetch (program execution from device) = 95%+ confidence of usage ``` **Persistence Confirmation:** ```bash ASEP registry keys (autostart entries) + Scheduled Tasks (task files) + Services (service registry) + Autoruns (comprehensive scan) = 90%+ confidence of persistence ``` **Data Exfiltration:** ```bash Prefetch (archive/upload tools) + Jump Lists (files archived) + $J (file operations) + ShellBags (staging directories) + LNK files (USB or network paths) = 85%+ confidence of exfiltration ``` ## 🚨 INVESTIGATION RED FLAGS MASTER LIST ### Execution-Based Indicators ````bash ❌ Suspicious Executable Names ├─ One or two-letter names (a.exe, ab.exe) ├─ Random character strings (asdfjkl.exe) ├─ Misspelled system files (svch0st.exe, exp1orer.exe) └─ Known malware names (mimikatz, pwdump, psexec) ❌ Unusual Execution Locations ├─ C:\$Recycle.Bin ├─ C:\ProgramData ├─ %TEMP% or %TMP% ├─ %APPDATA% ├─ User profile root (C:\Users\username\) ├─ Downloads folder ├─ Public folders └─ System Volume Information ❌ Multiple Prefetch Files Same Name └─ Indicates execution from different paths └─ Exception: svchost, dllhost, rundll32 (expected) ❌ Living Off The Land Binaries (LOLBins) ├─ cmd.exe (from non-System32) ├─ powershell.exe (unusual parameters) ├─ wmic.exe ├─ psexec.exe ├─ reg.exe ├─ schtasks.exe ├─ net.exe / net1.exe ├─ wscript.exe / cscript.exe ├─ mshta.exe ├─ regsvr32.exe ├─ rundll32.exe (unusual parameters) └─ certutil.exe (download operations) ``` ### Temporal Red Flags ``` ❌ Off-Hours Activity ├─ Executions at 2-5 AM ├─ Weekend activity in corporate environment └─ Holiday activity ❌ Rapid Sequential Execution ├─ Reconnaissance tools run in quick succession ├─ Multiple system tools within minutes └─ Mass file access patterns ❌ Execution Immediately After ├─ USB device connection ├─ Network share access ├─ Email receipt timestamp └─ User login ``` ### Persistence Red Flags ``` ❌ Suspicious AutoStart Entries ├─ Unsigned executables in Run keys ├─ Base64 encoded commands ├─ Scripts in Startup folder ├─ Services with unusual paths └─ Recent registry modifications ❌ Scheduled Task Indicators ├─ Tasks running as SYSTEM ├─ Tasks with unusual triggers ├─ Tasks pointing to temp directories └─ Recently created tasks during incident window ``` ### User Activity Red Flags ``` ❌ Unusual File Access ├─ Access to sensitive directories (SAM, SYSTEM) ├─ Mass document opening ├─ Network share enumeration └─ System file browsing ❌ Data Exfiltration Indicators ├─ Large file copies to USB ├─ Archive creation (zip, rar) ├─ Upload to cloud services └─ Files moved to staging directories ```` *** ### 🛠️ TOOL COMMAND REFERENCE LIBRARY #### Zimmerman Tools Suite **PECmd (Prefetch)** {% code overflow="wrap" %} ```bash # Single file .\PECmd.exe -f C:\Windows\Prefetch\[file].pf # Single file with CSV .\PECmd.exe -f C:\Windows\Prefetch\[file].pf --csv "C:\Output" --csvf prefetch.csv # Directory .\PECmd.exe -d C:\Windows\Prefetch # Directory with VSS and keywords .\PECmd.exe -d C:\Windows\Prefetch -q --csv C:\Output --csvf prefetch.csv --vss --mp -k "system32, downloads, temp" ``` {% endcode %} **AmcacheParser** ```bash # Live system .\AmcacheParser.exe -f "C:\Windows\appcompat\Programs\Amcache.hve" -i --csv C:\Output # Forensic image .\AmcacheParser.exe -f "[path]\Amcache.hve" -i --csv C:\Output # With blacklist .\AmcacheParser.exe -f "[path]\Amcache.hve" -b C:\blacklist.txt --csv C:\Output ``` **AppCompatCacheParser (ShimCache)** ```bash # From SYSTEM hive .\AppCompatCacheParser.exe -f C:\Windows\System32\config\SYSTEM --csv C:\Output # Live system .\AppCompatCacheParser.exe --csv C:\Output --csvf shimcache.csv ``` **JLECmd (Jump Lists)** {% code overflow="wrap" %} ```bash # Single file JLECmd.exe -f "[path]\[file].automaticDestinations-ms" --csv C:\Output -q # Directory (Automatic) JLECmd.exe -d "C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv C:\Output -q # Directory (Custom) JLECmd.exe -d "C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations" --csv C:\Output -q ``` {% endcode %} **LECmd (LNK Files)** {% code overflow="wrap" %} ```bash # Single file LECmd.exe -f "[path]\[file].lnk" # Single file with outputs LECmd.exe -f "[path]\[file].lnk" --json C:\Output --pretty # Directory LECmd.exe -d "C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Recent" --csv C:\Output --html C:\Output -q # All subdirectories LECmd.exe -d "[path]" --all --csv C:\Output ``` {% endcode %} **SBECmd (ShellBags)** ```bash # Specific user directory SBECmd.exe -d C:\Users\[user] --csv C:\Output # Live system SBECmd.exe -l --csv C:\Output ``` **RBCmd (Recycle Bin)** ```bash # Single file RBCmd.exe -f "C:\$Recycle.Bin\[SID]\$I[file]" # Entire Recycle Bin RBCmd.exe -d C:\$Recycle.Bin\ -q --csv C:\Output --csvf recycle-bin.csv ``` **MFTECmd (MFT, $J, etc.)** ```bash # Parse MFT MFTECmd.exe -f "[path]\$MFT" --csv "C:\Output" --csvf mft.csv # Parse with JSON MFTECmd.exe -f "[path]\$MFT" --json "C:\Output" # Parse USN Journal MFTECmd.exe -f "[path]\$J" --csv "C:\Output" --csvf usnjrnl.csv # Body file format MFTECmd.exe -f "[path]\$MFT" --body "C:\Output" --bdl c # Decode specific entry MFTECmd.exe -f "[path]\$MFT" --de 5-5 ``` **Registry Explorer** ```bash # GUI tool - launch and navigate RegistryExplorer.exe # Load live system # File > Live System > [select hive] # Load offline hive # File > Load Hive > [select file] ``` **RECmd (Registry Explorer CLI)** ```bash # Parse ASEP registry keys RECmd.exe --bn BatchExamples\RegistryASEPs.reb -d [path] --nl --csv C:\Output # Custom registry parsing RECmd.exe -f "[path]\NTUSER.DAT" --csv C:\Output ``` *** #### KAPE (Kroll Artifact Parser and Extractor) {% code overflow="wrap" %} ```bash # Collect Registry Hives .\kape.exe --tsource C: --tdest C:\Output\tout --tflush --target RegistryHives # Collect and parse ASEP .\kape.exe --tsource C: --tdest C:\Output\tout --tflush --target RegistryHives --mdest C:\Output\mout --mflush --module RECmd_RegistryASEPs # Comprehensive collection .\kape.exe --tsource C: --tdest C:\Output\tout --target !SANS_Triage --mdest C:\Output\mout --module !EZParser ``` {% endcode %} *** #### Sysinternals Tools **Autoruns** ```bash # Full scan with signatures and hashes .\autorunsc64.exe -accepteula -a * -s -h -c > autoruns-output.csv # Flags explanation: # -accepteula = Accept EULA automatically # -a * = Show all autostart locations # -s = Verify digital signatures # -h = Show file hashes # -c = Output as CSV ``` **Streams (ADS)** ```bash # Scan directory for ADS streams.exe -s C:\path\to\directory # Scan file streams.exe C:\path\to\file # Delete specific stream streams.exe -d [stream-name] C:\path\to\file ``` *** #### FTK Imager {% code overflow="wrap" %} ```bash # CLI mode - create image ftkimager.exe [source] [destination] --e01 --compress 6 --case-number [case] --evidence-number [num] # GUI operations: # File > Add Evidence Item > [select source] # Browse to artifact location # Right-click > Export Files ``` {% endcode %} *** #### PowerShell Commands **Alternate Data Streams** ```powershell # List all streams Get-Item C:\path\to\file -Stream * # Read stream content Get-Content C:\path\to\file -Stream [stream-name] # Create stream Set-Content C:\path\to\file -Stream [stream-name] -Value "content" # Remove stream Remove-Item C:\path\to\file -Stream [stream-name] ``` **Registry Access** {% code overflow="wrap" %} ```powershell # Read registry key Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count" # Export registry key reg export "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" C:\Output\shimcache.reg ``` {% endcode %} *** #### Command Prompt Commands **Recycle Bin Manual Examination** ```bash # Show hidden files dir /a # Navigate to Recycle Bin cd C:\$Recycle.Bin dir /a # Navigate to user SID cd [SID] dir # View metadata file type $I[identifier] # Copy deleted file copy $R[identifier] C:\Output\recovered-file.ext ``` **Alternate Data Streams** ````cmd # List files with streams dir /R C:\path\to\directory # View stream more < C:\path\to\file:[stream-name] # Execute from stream wscript.exe C:\path\to\file:[stream-name] ``` --- ## 📋 INVESTIGATION TEMPLATES ### Template 1: Malware Execution Investigation ``` OBJECTIVE: Determine if suspicious executable was run and when ARTIFACTS TO COLLECT: ☐ Prefetch files ☐ Amcache.hve ☐ SYSTEM hive (ShimCache) ☐ NTUSER.DAT (UserAssist) ANALYSIS WORKFLOW: 1. Search Prefetch for executable name ├─ If found: Extract last 8 run times and run count └─ If not found: Check if Prefetch is enabled 2. Search Amcache for executable ├─ Extract SHA1 hash ├─ Check VirusTotal / malware databases └─ Note full path and timestamps 3. Search ShimCache for executable path └─ Confirms presence even if deleted 4. Check UserAssist for GUI execution └─ Provides run count and last run time 5. Cross-reference timestamps across artifacts QUESTIONS TO ANSWER: - Was program executed? (Prefetch = yes, others = maybe) - When was first execution? - When was last execution? - How many times was it run? - What is the SHA1 hash? - What files did it access? - Has it been deleted? DELIVERABLE: Timeline of execution events with supporting evidence ``` --- ### Template 2: USB Device Usage Investigation ``` OBJECTIVE: Determine what USB devices were connected and what files were accessed ARTIFACTS TO COLLECT: ☐ ShellBags (USRCLASS.DAT, NTUSER.DAT) ☐ LNK files from Recent folder ☐ Jump Lists ☐ SYSTEM hive (USB device registry keys) ☐ Prefetch files ANALYSIS WORKFLOW: 1. Parse ShellBags for removable device paths └─ Look for drive letters and volume names 2. Examine LNK files ├─ Filter for removable media paths ├─ Extract volume serial numbers └─ Note timestamps of file access 3. Review Jump Lists for files opened from USB └─ Check document applications (Office, PDF readers) 4. Check Registry for USB device history └─ HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR 5. Search Prefetch for executables run from USB └─ Volume information in .pf files QUESTIONS TO ANSWER: - What USB devices were connected? - When were they first connected? - When were they last connected? - What files were accessed from USB? - Were any programs executed from USB? - Were files copied to/from USB? DELIVERABLE: USB device timeline with file access activity ``` --- ### Template 3: Data Exfiltration Investigation ``` OBJECTIVE: Identify potential data theft and exfiltration methods ARTIFACTS TO COLLECT: ☐ Jump Lists (archive tools, upload applications) ☐ LNK files (file access in sensitive directories) ☐ ShellBags (folder browsing activity) ☐ Prefetch (archiving tools, FTP clients, cloud sync) ☐ $J and $MFT (file operations, mass copies) ☐ RecentDocs and MRU keys ☐ Browser artifacts (separate investigation) ANALYSIS WORKFLOW: 1. Identify staging directories ├─ Check ShellBags for new folder creation └─ Review $J for directory operations 2. Search for archive creation ├─ Prefetch: 7zip, WinRAR, WinZip execution ├─ Jump Lists: Files added to archives └─ $J: .zip, .rar, .7z file creation 3. Check for upload tools ├─ Prefetch: FTP clients, cloud sync tools ├─ Jump Lists: Files opened by upload apps └─ UserAssist: Cloud storage application use 4. Review sensitive document access ├─ LNK files: Office documents, PDFs ├─ Jump Lists: Multiple file opens └─ ShellBags: Sensitive directory browsing 5. Identify file copies to removable media ├─ ShellBags: USB drive access ├─ $J: Large file copy operations └─ LNK files: Files accessed from USB 6. Timeline correlation └─ Align file access, archiving, and transfer timestamps QUESTIONS TO ANSWER: - What files were accessed? - Were files archived? - What archiving tools were used? - Were files copied to USB or network? - Were cloud upload tools used? - What was the timeline of activity? - What was the volume of data? DELIVERABLE: Comprehensive timeline of data access and exfiltration with volume estimates ``` --- ### Template 4: Persistence Mechanism Investigation ``` OBJECTIVE: Identify how malware maintains persistence on system ARTIFACTS TO COLLECT: ☐ Registry hives (SYSTEM, SOFTWARE, NTUSER.DAT) ☐ Startup folder contents ☐ Scheduled tasks ☐ Windows Services ☐ WMI subscriptions ANALYSIS WORKFLOW: 1. Run Autoruns comprehensive scan └─ Export results to CSV 2. Check primary AutoStart registry keys ├─ HKCU and HKLM Run keys ├─ RunOnce keys └─ Winlogon entries 3. Examine Startup folders └─ %AppData%\Microsoft\Windows\Start Menu\Programs\Startup 4. Review Scheduled Tasks ├─ C:\Windows\System32\Tasks\ └─ Check task triggers and actions 5. Investigate Windows Services ├─ New services created ├─ Services with unusual paths └─ Service DLL hijacking 6. Check for DLL search order hijacking └─ DLLs in application directories 7. Review WMI event subscriptions └─ wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter GET /FORMAT:LIST 8. Correlate LastWrite times with attack timeline QUESTIONS TO ANSWER: - What persistence mechanisms are present? - When were they created? - What executables are involved? - Are they signed/verified? - Are they in unusual locations? - Do they survive reboots? DELIVERABLE: List of all persistence mechanisms with risk assessment and removal instructions ``` --- ## 🎓 ANALYST BEST PRACTICES ### Collection Best Practices ``` 1. Volatile First └─ Collect Prefetch before running analysis tools └─ Live response tools create new prefetch files 2. Preserve Originals └─ Work on copies, never original evidence └─ Maintain chain of custody 3. Document Everything └─ Commands run └─ Tools used and versions └─ Analysis notes └─ Findings 4. Use VSS └─ Volume Shadow Copies provide historical data └─ Critical for timeline depth 5. Hash Verification └─ Hash evidence before and after └─ Use Amcache SHA1 for executables ``` ### Analysis Best Practices ``` 1. Start Broad, Then Narrow └─ Begin with high-level timeline └─ Focus on suspicious time periods └─ Deep dive on specific artifacts 2. Cross-Reference Multiple Artifacts └─ Single artifact = low confidence └─ Multiple artifacts = high confidence └─ Build evidence matrix 3. Understand Limitations └─ Prefetch: May not prove execution on Win10+ └─ Amcache: Presence, not execution └─ ShimCache: Definitely not execution on Win10+ └─ UserAssist: GUI only 4. Use Timeline Analysis └─ Build super timeline with all artifacts └─ Look for temporal patterns └─ Identify anomalies 5. Consider Context └─ Corporate vs. personal use └─ User role and responsibilities └─ Normal behavior baseline ``` ### Reporting Best Practices ``` 1. Executive Summary └─ Non-technical overview └─ Impact assessment └─ Key findings 2. Technical Details └─ Artifact analysis results └─ Timeline of events └─ Evidence correlation 3. Visual Aids └─ Timelines └─ Process trees └─ Network diagrams 4. Indicators of Compromise (IOCs) └─ File hashes └─ File paths └─ Registry keys └─ IP addresses / domains 5. Recommendations └─ Remediation steps └─ Prevention measures └─ Security improvements ```` *** ### 📊 ARTIFACT RELIABILITY MATRIX | Artifact | Execution Proof | Timing Accuracy | Historical Depth | Data Richness | Forensic Value | | ---------- | -------------------------------------------- | -------------------------------------- | -------------------------------------- | ------------------------------------ | -------------- | | Prefetch |

✅ High (Win7-8)
⚠️ Medium (Win10+)

|

✅ Excellent
(±10 sec)

|

⚠️ Limited
(Last 8 times)

|

✅ High
(Files accessed)

| ⭐⭐⭐⭐⭐ | | Amcache |

❌ Low
(Presence only)

|

✅ Good
(Multiple timestamps)

|

✅ Excellent
(Historical)

|

⭐ Very High
(SHA1 hashes!)

| ⭐⭐⭐⭐⭐ | | ShimCache |

❌ None (Win10+)
⚠️ Low (Win7-8)

|

⚠️ Limited
(Mod time only)

|

✅ Excellent
(1024 entries)

|

⚠️ Medium
(Paths only)

| ⭐⭐⭐ | | UserAssist |

✅ High
(GUI only)

| ✅ Good |

⚠️ Limited
(Per application)

|

✅ High
(Focus time)

| ⭐⭐⭐⭐ | | Jump Lists |

✅ High
(Indirect)

| ✅ Excellent |

⚠️ Limited
(Recent items)

|

✅ High
(File associations)

| ⭐⭐⭐⭐ | | LNK Files |

⚠️ Medium
(File access)

| ✅ Excellent |

⚠️ Limited
(Latest only)

|

✅ Very High
(Device info)

| ⭐⭐⭐⭐ | | ShellBags |

⚠️ Medium
(Folder access)

| ✅ Good | ✅ Excellent |

✅ Very High
(Exotic items)

| ⭐⭐⭐⭐ | | $MFT | ❌ None | ✅ Excellent | ✅ Excellent | ✅ Very High | ⭐⭐⭐⭐⭐ | | $J | ❌ None | ✅ Excellent |

⚠️ Medium
(Circular log)

|

⭐ Very High
(Operations)

| ⭐⭐⭐⭐⭐ | | $LogFile | ❌ None | ✅ Excellent |

❌ Low
(Very recent)

|

⭐ Very High
(Transactions)

| ⭐⭐⭐ | *** ### 🔑 KEY TAKEAWAYS #### Critical Rules to Remember 1. **Prefetch Priority** * Collect FIRST - it's volatile * Proves execution (with caveats on Win10+) * Contains last 8 execution times 2. **Amcache is Unique** * ONLY native source of SHA1 hashes * Does NOT prove execution * Excellent for malware identification 3. **ShimCache on Win10+** * Does NOT prove execution * Only proves file existed * Useful for historical presence 4. **Cross-Reference Everything** * Single artifact = low confidence * Multiple artifacts = high confidence * Build correlation matrix 5. **Understand Windows Versions** * Win7/8 vs Win10/11 behavior differs * Prefetch compression on Win10/11 * ShimCache reliability decreased 6. **Timeline is King** * Build comprehensive super timeline * Correlate across all artifacts * Look for temporal patterns 7. **SHA1 Hashes Matter** * Use Amcache for executable identification * Cross-reference with VirusTotal * Identify known good vs. known bad 8. **Persistence Hunting** * Check all ASEP locations * Review Scheduled Tasks * Examine Windows Services * Stack results across systems *** ### 📞 QUICK REFERENCE CARD #### Top 5 Evidence of Execution Artifacts 1. **Prefetch** - Proves execution, timing, run count 2. **Amcache** - SHA1 hashes, metadata 3. **UserAssist** - GUI program tracking 4. **Jump Lists** - Application file access 5. **ShimCache** - Historical presence (Win10+ caveat) #### Top 5 User Activity Artifacts 1. **LNK Files** - File/folder access, device info 2. **ShellBags** - Folder navigation 3. **Jump Lists** - Recent documents 4. **RecentDocs/MRU** - Application usage 5. **Recycle Bin** - Deleted files #### Top 5 File System Artifacts 1. **$MFT** - Complete file metadata 2. **$J** - Change journal (creates, deletes, renames) 3. **$LogFile** - NTFS transactions 4. **ADS** - Hidden data streams 5. **Volume Shadow Copies** - Historical snapshots #### Top 5 Zimmerman Tools 1. **PECmd** - Prefetch parsing 2. **MFTECmd** - File system analysis 3. **JLECmd** - Jump List parsing 4. **LECmd** - LNK file parsing 5. **Registry Explorer** - Registry analysis #### Top Investigation Commands {% code overflow="wrap" %} ```bash # Quick triage set .\PECmd.exe -d C:\Windows\Prefetch --csv C:\Output -q .\AmcacheParser.exe -f C:\Windows\AppCompat\Programs\Amcache.hve --csv C:\Output .\AppCompatCacheParser.exe --csv C:\Output JLECmd.exe -d %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations --csv C:\Output -q LECmd.exe -d %APPDATA%\Microsoft\Windows\Recent --csv C:\Output -q ``` {% endcode %} *** *For DFIR Practitioner* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://rootguard.gitbook.io/cyberops/defensive-security/dfir/window-forensics/windows-forensic-artifacts-investigation-workflow-and-cheatsheet.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.