Automatically generated based on tag:
| Title | Type | Summary | Location |
|---|---|---|---|
| Amcache / RecentFileCache | Page | Very complex artefact, linked to an application compatibility feature. Tracks program execution (or simply file presence for recent version), installed drivers, and shortcuts from a subset of folders. Program execution / binary presence information of interest: executable full path, program size, SHA1 (of the first 30MB of the executable). |
<SYSTEMROOT>\AppCompat\Programs\Amcache.hve Amcache DLL 6.1.7600 and older: <SYSTEMROOT>\AppCompat\Programs\RecentFileCache.bcf |
| Application Compatibility Cache / Shimcache | Page | Application compatibility feature that aim to maintain support of existing software to new versions of the Windows operating system. A Shimcache entry is created whenever a program is executed from a specific path. However, starting from Windows Vista and Windows Server 2008, entries may also be created for files in a directory that is accessed interactively. Stores up to 1024 entries starting from the Windows Vista and Windows Server 2008 operating systems. Information of interest: file full path, LastModifiedTime ($Standard_Information) timestamp of the file at the time of execution, the cache entry position (insertion position in the Shimcache), and from Windows Vista / Windows Server 2008 up to Windows 8.1 / Windows Server 2012 R2, an (undocumented) execution flag. |
SYSTEM registry hive. Registry keys: >= Windows Server 2003 and Windows XP 64-bit: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache Windows XP 32-bit: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility\AppCompatCache |
| Jumplists | Page | Introduced in Windows 7, Jumplists are linked to a taskbar user experience-enhancing feature that allows users to "jump" to files, folders or others elements by right-clicking on open applications in the Windows taskbar. Information of interest: target file absolute path, size, attributes, and Modified, Access, and Birth timestamps (updated whenever the file is "jumped" to). Remote desktop connections made using the Windows built-in mstsc.exe client will generate an entry in the AutomaticDestinations JumpList that may reference the remote host. |
AutomaticDestinations: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\<APP_ID>.automaticDestinations-ms CustomDestinations: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\<APP_ID>.customDestinations-ms |
| NTFS - $I30 ($INDEX_ROOT, $INDEX_ALLOCATION, and $Bitmap) | Page | The NTFS index attributes $INDEX_ROOT and $INDEX_ALLOCATION are MFT attributes that represent directories and store index records. Each file in a directory is associated with an index record. The record contains information on the file it references in a $FILE_NAME (0x30) attribute: file name, size, parent directory and a set of MACB timestamps (copied from the MFT file record $STANDARD_INFORMATION of the file). |
MFT $INDEX_ROOT, $INDEX_ALLOCATION, and $Bitmap attributes. |
| NTFS - $LogFile | Page | The $LogFile is part of a journaling feature of NTFS, activated by default, which maintains a low-level record of changes made to the NTFS volume with very limited historical data (usually only of the last few hours). | <ROOT>\$LogFile |
| NTFS - $MFT, $MFTMir, and $Bitmap | Page | The Master File Table (MFT) is the main element of any NTFS partition and contain a file record for all existing (and very recently deleted) files written on the partition. The $MFTMirr file is the first entry in the MFT and contains the first 4 entries of the MFT as a recovery mechanism. The $Bitmap file tracks the allocation status (allocated or unused) of the clusters of the volume. |
<ROOT>:\$MFT <ROOT>:\$MFTMir <ROOT>:\$Bitmap |
| NTFS - UsnJrnl | Page | The USN Journal is a feature of NTFS, activated by default on Vista and later, which maintains a record of changes made to the NTFS volume. The $J stream stores the actual change log records, with usually historical data of the last few days. Each change log record is notably composed of: the timestamp, filename, and reason / operation of the change. |
$Max and $J named data streams under <ROOT>\$Extend\$UsnJrnl |
| Recycle Bin | Page | Deleted files and folders (if deleted through a recycle bin aware application), associated with a given user (by their SID). Two kind of files: $I, which contain the path and timestamp of deletion of the original file. $R, which contain the original file content. |
$I, $R files under <SYSTEMDRIVE>:\$Recycle.Bin\<USER_SID>\ |
| Shortcut files / LNK | Page | Shortcut files (*.lnk) are Windows Shell Items that reference to an original file, folder, or application. While LNK files can be created manually, Windows also creates LNK files under numerous user activities, such as opening of a non-executable file. Information of interest, per LNK file: - Target file absolute path, size and attributes. - Target file Modified, Access, and Created (MAC) timestamps at the time of the last access. - Sometimes information on the volume that stored the target file (local or network share, serial number, and label). - Additionally, for automatically created LNK, the creation and modification timestamps of the LNK itself will usually indicate when the target file was first and last opened. |
Automatically created LNK on files access: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\*.lnk Automatically created LNK for documents opened using Microsoft Office products: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Office\Recent\*.lnk Other common LNK location: Users Desktop folder: <SYSTEMDRIVE>:\Users\<USERNAME>\Desktop\*.lnk Startup folders: <SYSTEMDRIVE>:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*.lnk <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk |
| Thumbs.db and Thumbcache | Page | The Thumbs.db and Thumbcache files contain cached thumbnail previews for files (pictures, some document and media file types) in folders that were interactively accessed with the Windows Explorer. Some document types, such as PDF files, will have their first page as their thumbnail preview. The cached thumbnail previews persist even after deletion of the associated files. The Thumbs.db files are stored in their associated folders, with one individual Thumbs.db file per folder. Since Windows Vista, Thumbs.db files are only generated for access through UNC paths (in the remote / share directory). Starting with Windows Vista, the Thumbcache files centralize thumbnails in a central location. Each Thumbcache file, labeled "thumbcache_<RESOLUTION>.db", contains thumbnails from all locations. The location of the file linked to a thumbnail is not stored in the Thumbcache file. However, an unique identifier may be used to retrieve the location of the associated file (mostly for non deleted files). |
Thumbs.db: Individual hidden files in their associated folders. Starting from Windows Vista, Thumbcache: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\Explorer\thumbcache_<RESOLUTION>.db files. |
| Windows 10 Timeline / ActivitiesCache.db | Page | Introduced in Windows 10 version 1803, the Windows Activity history tracks a number of operations on the system: programs used, local files opened, SharePoint documents consulted, and websites browsed (using Internet Explorer / Microsoft Edge Legacy). The ActivitiesCache.db database only stores data for the last 30 days by default. Information of interest, that depends on the activity type: start and end times of the activity (in UTC), executable full path for program execution, file name / SharePoint link for files accessed using certain programs, created and last modified timestamp of the associated file, etc. The history of the clipboard data may also be stored for a short amount of time (approximately 12 hours) in non default configuration. |
<SYSTEMROOT>\Users\<USERNAME>\AppData\Local\ConnectedDevicesPlatform\[L.<USERNAME> | *]\ActivitiesCache.db |
| Windows Defender - Detection History files | Page | Windows Defender stores information on past detections, from its real-time and cloud-delivered protection components, in DetectionHistory file(s). Information of interest, per detection: - file path, size, md5, sha1, and sha256 hashes of the file that triggered the detection. - The threat name. - The process and domain and username of the user associated with the detection. - For Potentially Unwanted Applications (PUA) detections, the associated Uninstall registry key. |
Files, with GUID filenames, under: <SYSTEMDRIVE>:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\ |
| Windows Defender - Quarantine | Page | Windows Defender quarantines files that were detected as malicious, storing the full content of the files. It is thus possible to recover the quarantined files for further investigation. Additionally, Windows Defender stores some metadata on each detection under the "Windows Defender\Quarantine" folder, including the original file path of the file, the timestamp of quarantine, and the associated threat name. |
Quarantined files: <SYSTEM_DRIVE>\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData Metadata on the detections associated with quarantined files: <SYSTEM_DRIVE>\ProgramData\Microsoft\Windows Defender\Quarantine\Entries |
| Windows Defender - Support logs | Page | Windows Defender stores on disk a number of plain-text log files. Among these log files, the Microsoft Protection Log (MPLog) log includes a number of event types related to past Windows Defender scanning activity and detections. The MPLog can notably be a source of historical information on: - Program and suspicious command line executions. - Files existence and access. - Windows Defender configuration state, detections, and other telemetry. |
Log files, and notably "MPLog-YYMMDD-hhmmss.log", under: <SYSTEMDRIVE>\ProgramData\Microsoft\Windows Defender\Support |
| Windows Search database | Page | The Windows Search database provides an index to the Windows Search feature to improve search speed by indexing content from a subset of folders and files. Information of interest: files and folders from the Users folders (file name, path, size, attributes, MAC timestamps, and sometimes part of the content of smaller files), Outlook mail data (timestamp of reception and possible mail content), OneNote notes title, and Internet Explorer history. |
Starting from Windows 11: <SYSTEMDRIVE>:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.db <SYSTEMDRIVE>:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows-gather.db Windows 7 to Windows 10: <SYSTEMDRIVE>:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Windows XP: <SYSTEMDRIVE>:\Documents and Settings\All user\Application Data\Microsoft\Search\Data\Application\Windows\Windows.edb |
View on GitHub