Windows Forensic Artifacts Overview

Hello everyone! My name is Sergey Kislukhin, I work as a 3rd line SOC analyst, and I have something to share in the area of ​​responding to computer incidents on Windows hosts.

Introduction

When investigating information security incidents on Windows hosts, security professionals must look for evidence and proof of malicious activity. In a typical situation, the analyst is faced with a physical disk or disk image containing many artifacts that are not always easy to interpret. Most often, workers turn to system event logs, but they may not be enough, especially if event auditing is not configured properly and logs are either deleted or saved only for a short time.

Sometimes even a standard set of artifacts studied in various incident investigation training programs may not provide a complete answer to the question: “What happened in the system?” For example, an attacker may have time to clear the most popular artifacts, or data may be damaged during collection or transmission.

The purpose of this article is to offer the most comprehensive list of information sources that can be useful for identifying traces of malicious activity, and, briefly, in the form of a cheat sheet, to suggest where to find them and what to analyze them with.

Table of contents

Types of Artifacts
Activity Artifacts in Windows
System Information
Command Execution
Application Execution
Opening files and folders (File/Folder Opening)
Deleted Items and File Existence
Network Activity
External Device/USB Usage
Conclusions

Types of Artifacts

All the artifacts proposed below can be divided into 4 groups – sources:

If possible, each artifact is described, what it contains, where it is located, and the name of the utility that can be used to analyze it. Also, sources in the form of security logs will be indicated to a minimum, since they are looked at first anyway, and a detailed analysis of all events for analyzing user activity is a topic for a separate article.

Activity Artifacts in Windows

System Information

System information artifacts contain basic parameters that will be needed to determine key system characteristics. They are especially useful when analyzing disk images without identification (for example, when solving CTF tasks).

Command Execution

The main thing in searching for malicious commands is not to find yourself

The main thing in searching for malicious commands is not to find yourself

Artifacts related to command execution help to establish which commands and scripts were run on the system. These artifacts are the most valuable, as they can also provide information about paths to malicious applications or already deleted files.

Application Execution

The essence of artifacts indicating the execution of applications

The essence of artifacts indicating the execution of applications

Application execution artifacts help to restore the sequence of actions on the computer, identify suspicious or unwanted programs, and also allow you to identify changes in the system associated with their launch.

  • AppCompatCache / ShimCache:

  • Amcache:

    • A Windows registry file that contains information about all executable files on the host.

    • Contains the full path to the file, the time the file was first launched, the file size, the SHA-1 hash of the file, and information about the software.

    • %SystemRoot%\AppCompat\Programs\Amcache.hve

    • Analysis: AmcacheParser, appcompatprocessor.

  • Windows JumpLists:

    • A feature of the Windows taskbar that allows users to view a list of recently used items.

    • Contains the time the application was first launched, the path to the application, and the hosts accessed via RDP.

    • %AppData%\Microsoft\Windows\Recent\AutomaticDestinations\* + %AppData%\Microsoft\Windows\Recent\CustomDestinations\*

    • Analysis: JLECmd, JumpList Explorer.

  • Prefetch:

    • A Windows feature that speeds up app loading times by caching information about apps that you use frequently.

    • Contains information about the files and directories that are loaded by the application when it starts, and timestamps for these files.

    • %SystemRoot%\Prefetch\(имя_файла)-(хэш_пути).pf

    • Analysis: PECmd, WinPrefetchView, TZWorks Prefetch Parser.

  • UserAssist

    • A Windows feature that tracks which graphical user interface applications a user runs and how many times they have been run.

    • Contains information about running applications and the time of their last launch.

    • NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*

  • RunMRU (Most Recently Used):

    • Commands entered in the Run dialog box.

    • May indicate that a program or script is running on the device.

    • NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\*

  • RecentApps:

    • The most recent applications opened by the user via the Start menu or via the Task Switcher (for example, using the Alt+Tab key combination).

    • Contains applications that have been launched recently.

    • NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\*

  • SRUM (System Resource Usage Monitor):

    • A Windows feature used to monitor system performance.

    • Contains the path to the file, the start time, and the number of bytes transferred and downloaded.

    • %SystemRoot%\System32\SRU\SRUDB.dat

    • Analysis: SrumECmd, srum dumpTask Manager\Application History (partial view).

  • Windows 10 Timeline:

    • Timeline (Task View functionality) accessed via keyboard shortcut Win+Tab

    • Contains paths to files and the time they were launched.

    • %LocalAppdata%\ConnectedDevicesPlatform\%Account-ID%\ActivitiesCache.db

    • Analysis: DB Browser for SQLite, WxTCmd.

  • Background Activity Moderator (BAM):

    • Monitors and controls background application activity to optimize system performance and manage resource usage.

    • Contains information about applications that were launched, their launch time, and the path to the executable file.

    • SYSTEM\CurrentControlSet\Services\bam\state\UserSettings\{USER_SID} + SYSTEM\CurrentControlSet\Services\bam\UserSettings\{USER_SID}

  • Windows Error Reporting:

    • A Windows component that allows users to submit crash reports to Microsoft. Provides artifacts indicating program execution if a malicious program crashes during its execution.

    • Contains application paths, loaded modules, SHA1 hash, and application metadata.

    • %ProgramData%\Microsoft\Windows\WER\* + %LocalAppdata%\Microsoft\Windows\WER\* + Magazine Application.evtx -> 1001 (Error reports).

    • Features: You can see it in `Control Panel\System and Security\Security and Maintenance Center\System Reliability Monitor`.

  • FeatureUsage:

  • Image File Execution Options (IFEO):

    • Launch the application under the debugger specified in the registry.

    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\* + SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*

  • Windows Push Notification Services

    • System notifications from applications

    • Contains the app name and notification content, which may contain sensitive data.

    • %LocalAppdata%\Microsoft\Windows\Notifications\wpndatabase.db + %LocalAppdata%\Microsoft\Windows\Notifications\wpndatabase.db‑wal

    • Analysis: Notifications.sql, walitean

  • Places of fixation in the registry:

    • Although they are not a separate artifact, they are worth mentioning, since the presence of malware in at least one of them will also indicate malicious activity on the host.

    • There are many of them, and I described their locations and methods of analysis in more detail in my previous article.

Opening files and folders (File/Folder Opening)

File and folder opening artifacts can indicate which files were opened, edited, or saved. This is useful for establishing whether certain documents were accessed, analyzing sensitive information, and searching for traces of remote connections.

Deleted Items and File Existence

These artifacts allow you to restore information about files that existed on the system, even if they were deleted or modified. They help restore the history of file activity, identify deleted files, and prove their existence in the past.

Network Activity

Network activity artifacts are useful for investigating network activity, analyzing interactions with external resources, and identifying possible command and control channels. They can show which networks and resources the system interacted with, which is important for identifying attacks.

External Device/USB Usage

USB device usage artifacts are useful for analyzing data transfer from the system to external media, which is important when investigating data leaks and unauthorized file copying.

Conclusions

Windows stores a huge number of artifacts that can indicate the activity of users and applications. Of course, it is impossible to know everything, but such a cheat sheet of the main artifacts can significantly simplify the work of investigating incidents, especially if access to familiar data sources is limited or they are unavailable.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *