LNK (Shortcut) Files:
LNK files are Windows shortcut files that contain metadata about the file or program they link to.
They can reveal information such as the target file's path, icon location, creation time, and last accessed time.
Useful for understanding user behavior, application usage patterns, and potentially identifying executed files. Prefetch Files:
Prefetch files are used by Windows to optimize the loading time of frequently accessed programs.
They contain metadata about the execution of programs, including the program's name, path, last run time, and frequency of use.
Valuable for identifying frequently executed programs and establishing user activity patterns. AMCACHE (AMCache.hve):
AMCACHE is a Windows registry hive that stores information about program executions and installations.
It contains details such as program names, paths, execution counts, first and last execution times, and digital signatures.
Provides insights into program execution history, including newly installed software and potentially malicious activities. Shimcache:
The Shimcache, found in the Windows registry, maintains a record of executed programs, even if they have been deleted or moved.
It includes information such as program paths, last modified timestamps, and execution counts.
Useful for identifying executed programs, even if they were attempted to be concealed or removed.
Note for Shimcache: - Shimcache tracks files that were executed as well as executables that were browsed via File Explorer .
Shimcache is located within memory and is written to the registry upon shutdown. This is important to note when collecting a triage image from an online system. If the machine has been running without any reboot/restart/logoff, this artifact will not be available.
Shimcache order of execution: Shimcache stores the most recently executed or interacted with files at the top of the registry key. By sorting on the Line column, we're able to view the executables in chronological order, regardless of the file modification timestamp.
Jump Lists:
Jump Lists are a feature of the Windows taskbar and Start menu that provide quick access to recently or frequently used files and programs.
They store information about accessed files, including file names, paths, timestamps, and usage frequency.
Helpful for reconstructing user activities, identifying accessed files, and understanding user preferences and behavior.
Shell Bags:
These structures store information about which folders were most recently browsed by the user, including details such as folder view settings and the last time a folder was visited or updated.
Comments