Windows Forensic Artifacts Overview
Hello everyone! My name is Sergey Kislukhin, I work as a 3rd line SOC analyst, and I have something to share in the area of responding to computer incidents on Windows hosts.
Introduction
When investigating information security incidents on Windows hosts, security professionals must look for evidence and proof of malicious activity. In a typical situation, the analyst is faced with a physical disk or disk image containing many artifacts that are not always easy to interpret. Most often, workers turn to system event logs, but they may not be enough, especially if event auditing is not configured properly and logs are either deleted or saved only for a short time.
Sometimes even a standard set of artifacts studied in various incident investigation training programs may not provide a complete answer to the question: “What happened in the system?” For example, an attacker may have time to clear the most popular artifacts, or data may be damaged during collection or transmission.
The purpose of this article is to offer the most comprehensive list of information sources that can be useful for identifying traces of malicious activity, and, briefly, in the form of a cheat sheet, to suggest where to find them and what to analyze them with.
Table of contents
Types of Artifacts
Activity Artifacts in Windows
System Information
Command Execution
Application Execution
Opening files and folders (File/Folder Opening)
Deleted Items and File Existence
Network Activity
External Device/USB Usage
Conclusions
Types of Artifacts
All the artifacts proposed below can be divided into 4 groups – sources:
Security Event Logs:
Have an extension .evtx
Stored in the catalog
%SystemRoot%\System32\winevt\Logs\*
Analysis: standard
%SystemRoot%\System32\eventvwr.msc
, Event Log ExplorerSIEM
Windows Registry:
Files:
%SystemRoot%\System32\Config\*
(SOFTWARE, SYSTEM, SAM, …)%UserProfile%\NTUSER.DAT
%LocalAppData%\Microsoft\Windows\UsrClass.dat
%SystemRoot%\AppCompat\Programs\Amcache.hve
Analysis: standard
%SystemRoot%\regedit.exe
, Registry Explorer, RegRipper.
System utility files that are used in work to obtain quick access to previously entered commands or opened folders and files.
Files that store system information (to speed up work or log failures), not originally intended for forensics, but which can be used for these purposes.
If possible, each artifact is described, what it contains, where it is located, and the name of the utility that can be used to analyze it. Also, sources in the form of security logs will be indicated to a minimum, since they are looked at first anyway, and a detailed analysis of all events for analyzing user activity is a topic for a separate article.
Activity Artifacts in Windows
System Information
System information artifacts contain basic parameters that will be needed to determine key system characteristics. They are especially useful when analyzing disk images without identification (for example, when solving CTF tasks).
OS Version and Installation Date:
Time zone:
Host name:
Network interfaces:
Installed antivirus programs and their status:
List of installed patches and system updates:
List of users:
User's group memberships:
User environment variables:
Last login time:
Installed programs:
Command Execution
Artifacts related to command execution help to establish which commands and scripts were run on the system. These artifacts are the most valuable, as they can also provide information about paths to malicious applications or already deleted files.
Security Event Logs:
Security.evtx -> event_id 4688 – A new process was created (Windows auditing needs to be configured to output commands);
Microsoft–Windows–PowerShell/Operational.evtx, Windows PowerShell.evtx;
Microsoft-Windows-Shell-Core/Operational.evtx -> event_id 9707 – Executing a process from startup registry sections with a command line.
PowerShell Consolehost History
History of entered Powershell commands.
Contains the last 4096 commands run in Powershell (No command execution timestamps. The only timestamp is the file modification time = the time the last command was run).
%AppData%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
PowerShell Profiles:
Windows Task Scheduler:
Windows scheduled task files that run on a schedule or when specific events occur.
Contains commands and the conditions under which they should be run.
%SystemRoot%\Tasks\*
,%SystemRoot%\System32\Tasks\*
,%SystemRoot%\SysWOW64\Tasks\*
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree\*
,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks\*
Magazine Windows-TaskScheduler/Operational.evtx;
WMI Object Property Store:
Similar to Task Scheduler, but based on WMI Event Consumer.
Contains commands and the conditions under which they should be run.
%SystemRoot%\System32\WBEM\Repository\OBJECTS.DATA
Analysis: python-cim, PyWMIPersistenceFinder.py .
BITS Tasks:
Tasks of the asynchronous file transfer mechanism for remote connections.
Contains queues of file operations.
%AllUsersProfile%\Microsoft\Network\Downloader\*
:Analysis: BitsParser.
Antivirus logs:
Malicious commands may be stored as a result of detection by the behavioral analysis engine.
Contains information about detected malicious objects on the host.
Windows Defender: Journal Microsoft-Windows-Windows-Defender/Operational.evtx +
%ProgramData%\Microsoft\Windows Defender\Scans\History\*
Services:
Background applications that provide operating system functionality and run without user intervention.
Contains the path to the executable file (sometimes with a command) and the type of its launch (automatic or manual).
SYSTEM\CurrentControlSet\Services\*
+ Magazine System.evtx -> event_id 7034-7045
Hibernation and swap files:
The hibernation file contains a dump of the RAM created when the system went into hibernation. It may contain data from active or already terminated processes.
The swap file is used to temporarily store data from RAM when there is not enough of it. It can store fragments of memory, including data from completed processes, passwords, fragments of documents, etc.
Hibernation file
C:\hiberfil.sys
. Swap fileC:\pagefile.sys
.Analysis: Volatility, Strings, PhotoRec
Application Execution
Application execution artifacts help to restore the sequence of actions on the computer, identify suspicious or unwanted programs, and also allow you to identify changes in the system associated with their launch.
AppCompatCache / ShimCache:
A Windows application compatibility mechanism that maintains a list of executable files running on the system.
Contains full paths to files and timestamps of the last file change (you can search for file renamings and moves using the same time).
SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
>AppCompatCache
Analysis: appcompatprocessor, AppCompatCacheParser.
Amcache:
A Windows registry file that contains information about all executable files on the host.
Contains the full path to the file, the time the file was first launched, the file size, the SHA-1 hash of the file, and information about the software.
%SystemRoot%\AppCompat\Programs\Amcache.hve
Analysis: AmcacheParser, appcompatprocessor.
Windows JumpLists:
A feature of the Windows taskbar that allows users to view a list of recently used items.
Contains the time the application was first launched, the path to the application, and the hosts accessed via RDP.
%AppData%\Microsoft\Windows\Recent\AutomaticDestinations\*
+%AppData%\Microsoft\Windows\Recent\CustomDestinations\*
Analysis: JLECmd, JumpList Explorer.
Prefetch:
A Windows feature that speeds up app loading times by caching information about apps that you use frequently.
Contains information about the files and directories that are loaded by the application when it starts, and timestamps for these files.
%SystemRoot%\Prefetch\(имя_файла)-(хэш_пути).pf
Analysis: PECmd, WinPrefetchView, TZWorks Prefetch Parser.
UserAssist
A Windows feature that tracks which graphical user interface applications a user runs and how many times they have been run.
Contains information about running applications and the time of their last launch.
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*
RunMRU (Most Recently Used):
Commands entered in the Run dialog box.
May indicate that a program or script is running on the device.
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\*
RecentApps:
The most recent applications opened by the user via the Start menu or via the Task Switcher (for example, using the Alt+Tab key combination).
Contains applications that have been launched recently.
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\*
SRUM (System Resource Usage Monitor):
Windows 10 Timeline:
Timeline (Task View functionality) accessed via keyboard shortcut
Win+Tab
Contains paths to files and the time they were launched.
%LocalAppdata%\ConnectedDevicesPlatform\%Account-ID%\ActivitiesCache.db
Analysis: DB Browser for SQLite, WxTCmd.
Background Activity Moderator (BAM):
Monitors and controls background application activity to optimize system performance and manage resource usage.
Contains information about applications that were launched, their launch time, and the path to the executable file.
SYSTEM\CurrentControlSet\Services\bam\state\UserSettings\{USER_SID}
+SYSTEM\CurrentControlSet\Services\bam\UserSettings\{USER_SID}
Windows Error Reporting:
A Windows component that allows users to submit crash reports to Microsoft. Provides artifacts indicating program execution if a malicious program crashes during its execution.
Contains application paths, loaded modules, SHA1 hash, and application metadata.
%ProgramData%\Microsoft\Windows\WER\*
+%LocalAppdata%\Microsoft\Windows\WER\*
+ Magazine Application.evtx -> 1001 (Error reports).Features: You can see it in `Control Panel\System and Security\Security and Maintenance Center\System Reliability Monitor`.
FeatureUsage:
Image File Execution Options (IFEO):
Launch the application under the debugger specified in the registry.
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*
+SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*
Windows Push Notification Services
System notifications from applications
Contains the app name and notification content, which may contain sensitive data.
%LocalAppdata%\Microsoft\Windows\Notifications\wpndatabase.db
+%LocalAppdata%\Microsoft\Windows\Notifications\wpndatabase.db‑wal
Analysis: Notifications.sql, walitean
Places of fixation in the registry:
Although they are not a separate artifact, they are worth mentioning, since the presence of malware in at least one of them will also indicate malicious activity on the host.
There are many of them, and I described their locations and methods of analysis in more detail in my previous article.
Opening files and folders (File/Folder Opening)
File and folder opening artifacts can indicate which files were opened, edited, or saved. This is useful for establishing whether certain documents were accessed, analyzing sensitive information, and searching for traces of remote connections.
LNK files (shortcuts):
Automatically created by the Windows operating system when a user opens a local or remote file.
Contains the path to the file and timestamps of both the LNK file itself and the file it points to.
%AppData%\Microsoft\Windows\Recent\*
+%AppData%\Microsoft\Office\Recent\*
Analysis: LECmd.
LastVisitedMRU, OpenSaveMRU, BagMRU, RecentDocs, TypedPaths, Mapped network drive
Paths to folders and files from different sources: accessed by applications, opened or saved via the Open File and Save File dialog boxes, configured to display in Explorer, opened or entered manually via Explorer, mapped network drives.
Files:
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU\*
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*
SOFTWARE\Microsoft\Windows\Shell\Bags\*
+UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags\*
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\*
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\*
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
MS Word Reading Location
Remotely connected disks
Non-default shares:
Deleted Items and File Existence
These artifacts allow you to restore information about files that existed on the system, even if they were deleted or modified. They help restore the history of file activity, identify deleted files, and prove their existence in the past.
MFT:
A file containing information about each file and directory on an NTFS volume.
Contains information about a file or directory, including its attributes such as creation time, last modification time, last access time, etc.
$MFT metafile in the root of the volume (visible and downloadable via KAPE, FTK Imager, etc.)
Analysis: MFTExplorer, MFTECmd, analyzeMFT.
USN Journal:
Tracks changes to each volume (high-level records of operations performed on the file system).
Contains recent records for every change made to the data on the volume: when files were created, renamed (including moved), modified.
$Extend\$UsnJrnl at the root of the volume.
Analysis: MFTEcmd.
Recycle.Bin (Basket):
Contains files that are preceded by
$I
And$R
and to which the extension of the original file is added.$I
the file contains information about the deleted file (size, path and time of deletion), and$R
The file contains the full contents of this deleted file.C:\$Recycle.Bin\{USER_SID}
Analysis: RBCmd.
Windows Search database:
Stores indexed data of all files, folders, and other content on your computer.
Contains file access timestamps, file path and location, file contents if they have been indexed.
%ProgramData%\Microsoft\Search\Data\Applications\Windows\Windows.edb
Analysis: ESEDatabaseView.
IconCache.db/Thumbcache:
Thumbnail images of files on your computer.
Contains JPG, BMP and PNG files in various pixel sizes. Each thumbnail stores a unique ID number for each associated thumbnail from ThumbnailcacheID.
%LocalAppdata%/Microsoft/Windows/Explorer/thumbcache_*.db
Shadow copy:
Differential backups of files while the OS is running.
C:\System Volume Information.
Analysis: ShadowCopyView.
Network Activity
Network activity artifacts are useful for investigating network activity, analyzing interactions with external resources, and identifying possible command and control channels. They can show which networks and resources the system interacted with, which is important for identifying attacks.
Networks the computer was connected to:
Windows Firewall Rules:
SRUM (mentioned earlier) – contains the number of bytes transmitted and received from the network by the application.
Browsers:
Stores web browsing history, cookies, downloads, page cache and online form data.
The data is stored in SQLite databases in the user profile folder:
History of opening some types of files:
%LocalAppdata%/Microsoft/Windows/WebCache/WebCacheV*.dat
Analysis: BrowsingHistoryView, ChromeCacheView, IE10Analyzer.
Certutil History:
A cache of downloaded files that contains valuable metadata.
Contains file cache and source url.
%UserProfile%/AppData/LocalLow/Microsoft/CryptnetUrlCache/MetaData/*
HostsFile:
Specifies which IP address to use to contact the host.
May contain a redirect to a malicious server for a legitimate domain.
%SystemRoot%\System32\drivers\etc\hosts
External Device/USB Usage
USB device usage artifacts are useful for analyzing data transfer from the system to external media, which is important when investigating data leaks and unauthorized file copying.
Driver installation log:
Contains the date and time the media was first connected.
%SystemRoot%\INF\setupapi.dev.log
Connected device IDs:
Letter assigned by the system to the connected device:
Device name:
Information about devices and associated file system identifiers (media formatting history):
Device Association Manager (DAM):
Monitors connections between devices and drivers.
SYSTEM\CurrentControlSet\Services\dam\state\UserSettings\{USER_SID}
+SYSTEM\CurrentControlSet\Services\dam\UserSettings\{USER_SID}
Conclusions
Windows stores a huge number of artifacts that can indicate the activity of users and applications. Of course, it is impossible to know everything, but such a cheat sheet of the main artifacts can significantly simplify the work of investigating incidents, especially if access to familiar data sources is limited or they are unavailable.