1.ACMRU
Description: On Windows XP machines, the search assistant feature allows users to search for various items such as filenames, computers, or words within files. This feature retains a user's search terms for future reference, constituting the "Search History" on the system.
Location:
The search history is stored in the Windows registry within the NTUSER.DAT hive:
NTUSER.DAT\Software\Microsoft\SearchAssistant\ACMru\####
Interpretation: The "ACMru" key contains different subkeys identified by numeric values ("####"), each representing a specific type of search history:
Search the internet: #### = 5001
Search for all or part of a document name: #### = 5603
Search for a word or phrase within a file: #### = 5604
Search for printers, computers, and people: #### = 5647
-------------------------------------------------------------------------------------------------------------
2. Last Visited MRU
Already talked about this artifact in previous blog:
Reminder:
From command prompt: Manual extractionv(NTUSER.DAT)
Reg Save
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU C:\Users\User\Downloads\output.hiv
-------------------------------------------------------------------------------------------------------------
3.Vista/Win7-10 Thumbnails
The thumbs.db file, which was used in earlier versions of Windows, is not present in Vista/Win7-10. Instead, thumbnail data is stored under a single directory specific to each user, located in their application data directory under their home directory.
Location:
C:\Users\<username>\AppData\Local\Microsoft\Windows\Explorer\
Manually extraction of files: So later can be
copy "C:\Users\User\AppData\Local\Microsoft\Windows\Explorer\*" "C:\Users\User\Downloads\Shell"
Interpretation:
These files are generated when a user switches a folder to thumbnail mode or views pictures via a slideshow. Thumbnails in Vista/Win7-10 are stored in separate database files.
Vista/Win7-10 supports four thumbnail sizes:
32 (small)
96 (medium)
256 (large)
1024 (extra large)
The thumbcache database files store thumbnail copies of pictures based on their size, with each size having its own corresponding file in the cache folder.
Tool Used for analyses:
-------------------------------------------------------------------------------------------------------------
4. Recycle Bin Artifact
Get deep details about this artifact from my previous blog.
Blog 1: Recycle Bin forensic
Blog 2 : Recycle Bin $I analyses Tool-->I_Parse_v1.1
-------------------------------------------------------------------------------------------------------------
Comments