Search Results

When investigating digital forensics cases, confirming which files and folders have been opened or accessed is crucial . Whether tracking user activity or validating forensic evidence, understanding where and how to find artifacts plays a key role in uncovering the truth. Many articles on my website discuss different execution artifacts. However, putting them all together in a structured way helps streamline forensic investigations. This article serves as a reference guide, consolidating various forensic artifacts that indicate file and folder access , along with their advantages, disadvantages, and relevant analysis techniques. ------------------------------------------------------------------------------------------------- 1. Open/Save MRU / Last Visited MRU Description: The Open/Save MRU (Most Recently Used) and Last Visited MRU registry keys record file paths and directories accessed through common dialog boxes. They are valuable for determining recently accessed files. Article: Windows Registry Artifacts: Insights into User Activity (Last Visited MRU/ Open Save MRU) 2. Recent Files (RecentDocs) Description: The RecentDocs registry key stores metadata about recently opened files, categorized by file extensions. Article: RecentDocs: Uncovering User Activity Through Recently Opened Files 3. Shortcut (LNK) Files Description: Windows automatically generates LNK (shortcut) files when users open files and folders. These files contain metadata, including access timestamps and file locations. Articles: Windows LNK Files: A Hidden Treasure for Forensic Investigators LECmd: A Powerful Tool for Investigating LNK Files 4. Office Recent Files Description: Microsoft Office maintains records of recently accessed files within the Windows registry. Article: Tracking Recently Opened Files in Microsoft Office: A Forensic Guide 5. ShellBags Description: ShellBags store information about folder views and access history in Windows Explorer. They can provide insights into directories that were accessed, even if deleted. Articles: Understanding ShellBags: A Forensic Goldmine in Windows Investigations Unlocking ShellBags Analysis with ShellBags Explorer (SBE) / SBECmd.exe 6. Jump Lists Description: Jump Lists store metadata about recently accessed files and applications pinned to the Windows taskbar. Articles: Windows Taskbar Jump Lists: A Forensic Goldmine Mastering JLECmd for Windows Jump List Forensics 7. Office Trust Records Description: Office Trust Records store information about trusted Office documents, often used in investigations related to macro-based malware and suspicious document execution. Article: Tracking Trusted Office Documents: A Key to Investigating Macro-Based Malware -------------------------------------------------------------------------------------------------- Conclusion Understanding file and folder access artifacts is essential in forensic investigations. Each artifact provides unique insights, but they also come with limitations . By combining multiple sources of evidence, investigators can build a comprehensive timeline of user activity. Whether tracking user actions, detecting suspicious activity, or validating forensic findings, these artifacts serve as invaluable tools in digital forensics. Happy hunting! -------------------------------------------------Dean--------------------------------------------

When investigating digital forensics cases, confirming application execution is crucial. Whether analyzing malware execution, tracking user activity, or validating forensic evidence, understanding where and how to find execution artifacts is essential. Many articles on my website discuss different execution artifacts. However, putting them all together in a structured way helps streamline investigations . This article serves as a timeline and reference guide, consolidating various forensic artifacts that indicate application execution, their advantages, disadvantages, and relevant analysis techniques. ------------------------------------------------------------------------------------------------------------ Key Artifacts for Identifying Application Execution Each artifact provides unique insights, and choosing the right one depends on the investigation’s requirements . Below is a list of the most important artifacts, along with links to detailed articles that explain their forensic significance. 1. ShimCache (AppCompatCache) ShimCache is a valuable artifact for identifying application execution, especially when prefetching is disabled. However, it does not provide timestamps for execution, only last modification times. Understanding Microsoft’s Application Compatibility Cache (ShimCache) in Digital Forensics Understanding AppCompatCache tool for ShimCache Forensic Analysis 2. TaskBar Feature Usage This artifact helps track executed applications based on user interactions with the Windows Taskbar. TaskBar FeatureUsage: Tracking executed Applications 3. Amcache.hve Amcache.hve is one of the most reliable sources for identifying program execution, storing detailed information about executed applications, including timestamps. Understanding Amcache.hve: A Powerful Forensic Artifact Mastering AmcacheParser and appcompatprocessor.py for Amcache.hiv Analysis 4. Jump Lists Jump Lists store data about recently opened applications and files, making them useful for tracking execution history. Windows Taskbar Jump Lists: A Forensic Goldmine Mastering JLECmd for Windows Jump List Forensics 5. Prefetch Files Prefetch files record program execution details, including the exact timestamp of when an application was last run. Windows Prefetch Files: A Forensic Goldmine for Tracking Program Execution Prefetch Analysis with PECmd and WinPrefetchView 6. Program Compatibility Assistant (PCA) This artifact logs execution history when an application triggers compatibility warnings. Evidence of Execution: Program Compatibility Assistant (PCA) 7. CapabilityAccessManager This registry artifact logs application access to sensitive components like the microphone and camera, indirectly confirming execution. Tracking Microphone and Camera Usage in Windows (Program Execution: CompatibilityAccessManager) 8. SRUM (System Resource Usage Monitor) SRUM records extensive details about executed applications, including their network usage and execution time. SRUM: Unveiling Insights for Digital Investigations 9. Last Visited MRU (Most Recently Used) This registry artifact provides insights into recently accessed applications and files. Windows Registry Artifacts: Insights into User Activity (Last Visited MRU/ Open Save MRU) 10. Run Dialog (RunMRU) Tracking commands executed in the Windows Run dialog provides additional evidence of application execution. Windows Registry Artifacts: Insights into User Activity (RunMRU) RADAR and MUICache RADAR and MUICache provides extensive details about executed applications Using RADAR and MUICache for Evidence of Execution in Windows ---------------------------------------------------------------------------------------------------------- Conclusion Each of these artifacts plays a unique role in application execution analysis. While some provide direct evidence with timestamps, others offer indirect indicators. Depending on the investigation's requirements, a combination of these sources ensures a more comprehensive analysis. If you want to dive deeper, refer to the linked articles for detailed explanations and practical analysis techniques. Happy hunting! ------------------------------------------------------Dean-----------------------------------------

MUICache (Evidence of Execution) ------------------------------------------------------------------------------------------------------------- Power of MUICache in Digital Forensics If you're into digital forensics, especially Windows forensic analysis, you've probably heard of MUICache . But what exactly is it, and why does it matter? In this article, I'll break it down in the simplest way possible while showing you how this artifact can be a game-changer in forensic investigations. ------------------------------------------------------------------------------------------------------------- What is MUICache? MUICache (Multilingual User Interface Cache) is a registry entry found in Windows that stores metadata about programs that have been executed on a system. Essentially, when an application runs, Windows keeps a record of its details, including its executable file name  and user-friendly description . This is valuable for forensic analysts because it provides historical evidence  of program execution, even if traces of the executable have been deleted from the system. ------------------------------------------------------------------------------------------------------------- Where Can You Find MUICache? MUICache entries are typically stored in the Windows Registry at: HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache or HKEY_USERS\\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache Each user on the system will have a separate MUICache entry under their Security Identifier (SID) . This means you can track program execution on a per-user basis! ------------------------------------------------------------------------------------------------------------- Why is MUICache Important in Forensics? MUICache can provide critical insights during an investigation. Here's why: Evidence of Program Execution  – If an attacker runs a malicious program and then deletes it , MUICache might still hold the name of the executable. Attribution to a Specific User  – Since MUICache is stored per user , it can help link program execution to a specific account. Context for Incident Response  – It helps analysts understand what software was used on a compromised system . Detection of Suspicious Applications  – Unusual or unauthorized software in MUICache could be an indicator of compromise (IoC). ------------------------------------------------------------------------------------------------------------- Limitations of MUICache While it's a great forensic artifact, MUICache has a few limitations: No Timestamps  – Unlike Prefetch files, MUICache doesn’t store execution timestamps. Doesn't Confirm Execution  – MUICache may contain entries for programs that were only previewed in Explorer , not actually executed. Easily Altered   – Since it's stored in the registry, an attacker with admin access can clear or modify it. ------------------------------------------------------------------------------------------------------------- How to Analyze MUICache To extract and analyze MUICache entries, you can use forensic tools like: RegRipper  – A great open-source tool for pulling registry data. Registry Explorer - Eric Zimmerman tool FTK Imager  – Allows viewing and exporting registry hives. Velociraptor  – A powerful tool for hunting and forensic analysis. Example RegRipper  command: rip.exe -r NTUSER.DAT -p muicache This will pull the MUICache entries from a user’s registry hive. ------------------------------------------------------------------------------------------------------------- Real-World Example Imagine a scenario where an attacker runs Mimikatz  to dump credentials and then deletes it. Even if no Prefetch or event logs remain, MUICache might still reveal mimikatz.exe  in the registry. That’s a red flag for forensic analysts! ------------------------------------------------------------------------------------------------------------- Radar Heap Leak Detection (RADAR)(Evidence of Execution) In digital forensics, identifying whether a program executed on a system is crucial. While well-known artifacts like Prefetch and MUICache exist, there's another lesser-known registry-based artifact that can help: Radar Heap Leak Detection . This artifact, found in the Windows Registry, can provide evidence of execution, though it doesn't track every process. What is Radar Heap Leak Detection? Radar, short for Resource Exhaustion Detection and Resolution , is part of Windows' memory leak diagnostic system. It was introduced in Windows Vista to detect memory leaks, collect diagnostic data, and help resolve application issues. Where to Find It in the Registry This artifact is stored in the Windows Registry at the following location: HKEY_LOCAL_MACHINE\Software\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications Each application listed under this key indicates that it executed on the system at some point. How Does an Application Get Tracked Here? Not all executed applications appear in this registry key. An application ends up under DiagnosedApplications  if it consumes a significant amount of system memory On systems with 4GB RAM , the threshold is 5% or more  of available memory. On systems with 16 GB RAM or more , the threshold is even lower. Because of this memory usage condition, the presence of an application in this key is somewhat random— not all executed applications will appear here . How to Determine Execution Time Each application entry has two important time-related indicators: Last Detection Time This timestamp updates within minutes  of an application exceeding the memory threshold. However, it does not indicate  the exact time of execution. Last Write Timestamp This is the most useful timestamp  because it tells us when the registry subkey was last modified. If an application appears in DiagnosedApplications , we can say it executed on or before  this timestamp. Why is This Useful for Forensics? While this artifact is not as reliable as Prefetch , it can still be valuable in investigations. But we can confirm that: The application did execute  on the system. The execution happened on or before  the last write timestamp. This evidence can be combined with other artifacts like Prefetch, MUICache, or event logs to build a stronger case. ------------------------------------------------------------------------------------------------------------- Importance on Windows Servers Windows servers do not enable Prefetch by default , which makes Radar even more valuable  as an execution artifact in server environments. ------------------------------------------------------------------------------------------------------------- Conclusion MUICache is a simple yet powerful forensic artifact that can help track program execution on a Windows machine. While it has some limitations, it remains a valuable piece of the puzzle  in digital investigations. Another artifact Radar Heap Leak Detection is a lesser-known but potentially useful  forensic artifact. While it won’t capture every executed application, its presence in forensic analysis can strengthen evidence collection. When combined with other artifacts, it provides another piece of the puzzle  in identifying program execution on Windows systems. Next time you're investigating execution artifacts, don’t forget to check DiagnosedApplications  in the registry! Stay tuned for more forensic insights! 🔍 ---------------------------------------------------Dean--------------------------------------------

The UserAssist  registry key in Windows is a goldmine of forensic data , revealing which applications were executed, how often they were used, and when they were last run . While analyzing this key is challenging due to data encoding and irregularities, it remains one of the most valuable tools for tracking user activity  on a system. ------------------------------------------------------------------------------------------------------------- What Is UserAssist? UserAssist records GUI-based application executions . It does not track ❌ Background processes ❌ Command-line executions ❌ Scheduled tasks Forensic analysts use UserAssist to reconstruct user activity —identifying the most frequently used programs , last execution times , and which applications had user focus . ------------------------------------------------------------------------------------------------------------- Where Is UserAssist Stored in the Registry? UserAssist data is stored per user profile  in: NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\ Each UserAssist key contains multiple GUID-labeled subkeys , representing different methods of application execution. ------------------------------------------------------------------------------------------------------------- What Data Does UserAssist Contain? UserAssist logs several details about GUI-based application execution , including: ✅ Last Run Time  – The last recorded execution of an application (stored in Windows FILETIME format ). ✅ Run Count  – The number of times the application has been opened. ✅ Application Name & Path  – The full file path of the executed application. ✅ Focus Time  – The total time (in milliseconds) the application was actively in use . ✅ Focus Count  – The number of times the application became the active window . 💡 Key Insight:  Since UserAssist tracks focus time , it can reveal not just what applications were run, but which ones were actually used . ------------------------------------------------------------------------------------------------------------- Understanding the GUIDs in UserAssist Each UserAssist entry is stored under a GUID (Globally Unique Identifier) . The two most important GUIDs are: CEBFF5CD-ACE2-4F4F-9178-9926F41749EA   → Tracks applications executed directly via .exe files  (e.g., double-clicking a program). F4E57C4B-2036-45F0-A9AB-443BCFE33D9F   → Tracks applications executed via shortcuts  (e.g., Start Menu, taskbar, desktop shortcuts). 💡 Why This Matters:  If an application appears under both GUIDs , it means the user executed it using multiple methods , which can help build a pattern-of-life analysis . ------------------------------------------------------------------------------------------------------------- How UserAssist Helps in Digital Forensics 🔍 1. Tracking User Behavior & Application Usage Shows which applications were used most frequently . Identifies recently executed programs , even if they were deleted. 🔍 2. Detecting Suspicious Activity & Insider Threats If sensitive files were accessed around a breach, UserAssist may reveal which programs were used . If remote desktop tools  (e.g., AnyDesk, TeamViewer) appear , it may indicate unauthorized access . 🔍 3. Malware & Threat Investigations UserAssist helps track malicious programs that rely on GUI execution . Can show when ransomware, phishing tools, or keyloggers were launched . ------------------------------------------------------------------------------------------------------------- Limitations of UserAssist ⚠️ Not All Executions Are Tracked  – Command-line tools and background processes do not appear  in UserAssist. ⚠️ Data Loss from System Updates  – Major Windows updates may reset  UserAssist data. ⚠️ Potential False Positives  – Simply clicking “Open File Location” in the Start Menu can create an entry , even if the application wasn’t actually run. ⚠️ Inconsistent Focus Time Data  – Some applications do not record focus time , making exact usage tracking unreliable . ------------------------------------------------------------------------------------------------------------- Best Practices for Investigating UserAssist 1️⃣ Use Forensic Tools  – Decode ROT-13 data with Registry Explorer, RegRipper, or KAPE . 2️⃣ Cross-Reference Other Execution Artifacts  – Prefetch, BAM/DAM, AmCache, and Event Logs  can fill gaps left by UserAssist. 3️⃣ Analyze GUIDs Separately  – Identify execution method patterns  by looking at different GUIDs. 4️⃣ Watch for Unexpected Programs  – Look for remote access tools, encryption software, or admin utilities  that may indicate compromise. 5️⃣ Sort & Filter Data for Insights  – Use Run Count, Last Run Time, and Focus Time  to prioritize analysis. ------------------------------------------------------------------------------------------------------------ Final Thoughts: A Powerful Yet Tricky Forensic Artifact UserAssist is one of the most detailed forensic artifacts for tracking GUI-based application execution , providing valuable insights into what programs were used, how often, and for how long . While decoding and interpreting the data requires effort , UserAssist remains an essential artifact  in investigations related to: ✅ User activity tracking ✅ Insider threats ✅ Malware analysis ✅ Digital forensic audits 🚀 Key Takeaway:   Use UserAssist as an indicator of activity, but always verify findings with other execution artifacts for a complete forensic picture!  🔍 ------------------------------------Dean---------------------------------------------------------

Windows keeps detailed records of user interactions with the taskbar and GUI applications , but one of the most overlooked forensic artifacts  is the FeatureUsage  registry key. Introduced in Windows 10 (build 1903) , this key tra cks which applications were launched, how often they were used, and even how users interacted with the taskbar . ------------------------------------------------------------------------------------------------------------ What Is FeatureUsage? FeatureUsage tracks taskbar-related user interactions , providing insight into application usage patterns, pinned shortcuts, notifications, and taskbar clicks . Unlike some artifacts that get erased when a program is uninstalled, FeatureUsage data persists even after an application is removed . This makes it an excellent tool for investigating deleted applications  like privacy cleaners, VPN clients, or unauthorized chat software . What FeatureUsage Can Reveal: ✅ How often an application was launched  (even if it was later uninstalled). ✅ Which applications were focused (active window) the most. ✅ How often the user interacted with the taskbar. ✅ Which notifications were most frequently displayed. ✅ How often the user right-clicked an application to access Jump Lists. ------------------------------------------------------------------------------------------------------------ Where Is FeatureUsage Stored in the Registry? The FeatureUsage  key is located in: NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage Since this key is tied to individual user profiles , it exists within each user's NTUSER.DAT  file. ----------------------------------------------------------------------------------------------------------- Key Subkeys in FeatureUsage The most valuable subkeys  in FeatureUsage for forensic analysis are: 1️⃣ AppLaunch (Pinned App Execution Tracking) Tracks applications pinned to the taskbar  and how often they were launched via the pinned shortcut . Even if an application is unpinned , the execution count remains. Stores full file paths , making it useful for identifying programs installed in unusual locations  (e.g., malware hiding in unexpected directories). 💡 Why This Matters: If an application was pinned , it indicates the user was familiar with it and used it regularly . Execution counts help determine the most-used applications . Deleted applications may still have execution records  in this key. 2️⃣ AppSwitched (Active Window Tracking) Logs how often an application was brought into focus  (i.e., when it became the active window). Unlike AppLaunch , it tracks all applications , not just pinned ones. 💡 Why This Matters: Shows which applications had the most user interaction . Can reveal if suspicious applications (like hacking tools or keyloggers) were frequently used . Useful for disproving claims of "I never used that program!"  in investigations. 3️⃣ AppBadgeUpdated (Notification Tracking) Tracks how many notifications  were displayed for a given application. Similar to mobile app notifications , some Windows applications display badges  on taskbar icons. 💡 Why This Matters: Helps reconstruct user engagement  with an app—even if the app itself was never actively opened . Can reveal how active a user was  on specific apps like chat clients, social media, or VPNs. 4️⃣ ShowJumpView (Jump List Tracking) Tracks h ow often a user right-clicked an application on the taskbar  to access its Jump List. Jump Lists provide quick access to recently used files or functions . 💡 Why This Matters: If a user frequently accessed Jump Lists , it suggests deep interaction with an application . Can show which files or features were used most often  in certain programs. ----------------------------------------------------------------------------------------------------------- Why FeatureUsage Is a Game-Changer for Digital Forensics 🚀 1. Tracks Application Usage Even After Uninstallation Unlike Prefetch and AmCache , which may lose records when an app is removed, FeatureUsage keeps execution counts even after an app is uninstalled . 🚀 2. Provides Deep Insights Into User Activity Tracks not just application execution, but also taskbar clicks, notifications, and search activity . Reveals which applications users interacted with most . 🚀 3. Can Reveal Malicious or Suspicious Behavior If an attacker used RDP  to access a machine, FeatureUsage may show their interactions . Can uncover frequent use of privacy tools, VPNs, or hacking software  that a suspect claims they never used . 🚀 4. Complements Other Execution Artifacts Works alongside Prefetch, UserAssist, BAM/DAM, and AmCache  to build a timeline of user behavior . Provides additional execution evidence  for applications not fully tracked by other artifacts. ----------------------------------------------------------------------------------------------------------- Best Practices for Investigating FeatureUsage Data 🔍 1. Cross-Reference Execution Artifacts Compare AppSwitched  data with UserAssist & Prefetch  to confirm when applications were used . Check TrayButtonClicked  to see if a user searched for suspicious files . 🔍 2. Look for Deleted or Uninstalled Applications If AppLaunch shows execution counts for a missing application , it was likely used before being uninstalled . 🔍 3. Prioritize High-Focus Applications Sort AppSwitched  data to see which applications had the most active user interaction . 🔍 4. Identify Anomalous Taskbar Interactions If a user rarely opens Jump Lists , but a VPN shortcut has 50+ right-clicks , it suggests frequent VPN use . ----------------------------------------------------------------------------------------------------------- Final Thoughts: A Must-Check Registry Key for Investigators FeatureUsage is one of the most valuable yet underutilized forensic artifacts in modern Windows systems . It offers deep insights into user behavior , tracks application usage even after uninstallations , and reveals hidden taskbar interactions . 🔑 Key Takeaways: ✅ Check FeatureUsage for execution counts of deleted applications. ✅ Use AppSwitched to track the most-used active window applications. ✅ Combine FeatureUsage with Prefetch, BAM/DAM, and UserAssist for a full picture. 🚀 If you're analyzing user activity on a Windows system, don’t overlook FeatureUsage—it could be the missing piece of the puzzle!  🔍 ----------------------------------------Dean-------------------------------------

The Universal Windows Platform (UWP)  is Microsoft's modern application model, designed to replace traditional desktop applications with a sandboxed, secure environment . While UWP apps improve system security and organization, they also introduce new forensic challenges , as many of their artifacts exist outside of expected locations . --------------------------------------------------------------------------------------------------------- What Are UWP Applications? UWP applications were first introduced as Metro Apps in Windows 8  and later evolved into Modern Apps in early Windows 10 . Over time, Microsoft has encouraged developers to adopt this model, and now many built-in and third-party applications use it, including: Notepad Microsoft Paint Calculator Microsoft Office (some versions) Microsoft Edge Dropbox Your Phone Since UWP apps are installed per user, they do not follow the traditional program installation structure. Instead, they are located in: %UserProfile%\AppData\Local\Packages\ Each installed UWP app has a dedicated folder here, containing its settings, cache, and data. --------------------------------------------------------------------------------------------------------- Finding Installed UWP Applications on a Live System To list installed UWP apps, run the following PowerShell  command: Get-AppxPackage | Select-Object -Property Name This command will display all UWP applications installed for the current user. --------------------------------------------------------------------------------------------------------- How UWP Apps Store Data: Virtualization and Sandboxing Unlike traditional applications, UWP apps are heavily sandboxed , meaning they have limited access to system files and the registry . Instead of writing directly to the Windows Registry , UWP apps use virtualized registry hives , which are unique to each application. According to Microsoft: "In traditional environments, apps can create, update, and delete files in most places in the file system. And they can create, update, and delete entries in the Windows Registry. Those files and Registry entries are visible to other apps on the system. In contrast, UWP applications have their files and registry entries virtualized, making them only visible to the app that created them and removing them when the app is uninstalled." --------------------------------------------------------------------------------------------------------- Where Are UWP Registry Files Stored? Since UWP applications do not write directly to the system registry, they maintain their own per-application registry hives  inside their respective package folders. These can be found in: %UserProfile%\AppData\Local\Packages\\SystemAppData\Helium\ These hives include: Registry.dat  → Equivalent to the system SOFTWARE hive User.dat  → Equivalent to NTUSER.dat UserClasses.dat  → Equivalent to UsrClass.dat These hives do not propagate to the system registry , meaning traditional forensic registry analysis tools may miss them  unless specifically collected. --------------------------------------------------------------------------------------------------------- Analyzing UWP Registry Data Since UWP registry hives  exist separately from traditional Windows registry locations, f orensic analysts must extract and analyze them manually. How to Identify and Extract UWP Registry Hives A simple way to locate relevant hives is to collect them during initial triage  using tools like KAPE . KAPE includes a target that recursively scans the UWP Packages folder  to extract these hives for further investigation. Once extracted, hives can be analyzed using: Registry Explorer RegRipper PowerShell scripts Why This Matters for Investigators If an uninstalled   UWP application was used for malicious activity , its registry d ata might still be recoverable  from forensic images. If malware was running inside a UWP sandbox , it may have stored configuration files or registry artifacts  in these virtualized locations instead of standard system paths. These alternative registry hives can contain crucial forensic evidence that traditional registry analysis might miss . --------------------------------------------------------------------------------------------------------- MSIX and UWP Registry Redirection Microsoft also introduced the MSIX packaging format  for UWP apps , which further complicates forensic investigations. MSIX applications  are containerized, meaning registry modifications are redirected to per-app hives , just like standard UWP apps. While not all UWP applications use MSIX , those that do require registry redirection , making it even more important to check the Helium folder for forensic artifacts. No need to worry Kape has already done it for easy collection --------------------------------------------------------------------------------------------------------- UWP Internet Artifacts and Web Data Aside from registry data, UWP applications store web-related artifacts   in their package directories. Browser residue  (such as cached websites and session data) is stored inside each UWP browser’s application folder  rather than standard locations like C: \Users\\AppData\Local\Microsoft\Edge. Internet metadata  for UWP browsers is still recorded in the Internet Explorer WebCacheV.dat * database, even in Windows 11 . 💡 Key Takeaway:  Traditional browser forensics may not detect UWP browser activity  unless analysts specifically check inside UWP package folders . --------------------------------------------------------------------------------------------------------- Investigative Techniques for UWP Forensics 🔍 1. Identify Installed UWP Apps Use Get-AppxPackage | Select-Object -Property Name to list UWP apps. Browse %UserProfile%\AppData\Local\Packages\ for per-user installations. 🗂️ 2. Extract UWP Registry Hives Check %UserProfile%\AppData\Local\Packages\\SystemAppData\Helium\ Collect Registry.dat, User.dat, and UserClasses.dat  for analysis. Use forensic tools like Registry Explorer  to review extracted hives. 🌐 3. Investigate UWP Browser Artifacts Look inside each UWP browser’s package folder for cached data. Examine WebCacheV*.dat for internet browsing metadata . 🛑 4. Watch for UWP Malware & Persistence Malware can operate inside UWP sandboxes to avoid detection. Checking UWP registry hives may reveal unauthorized app activity . Look for suspicious app paths or execution timestamps  inside UWP registry data. --------------------------------------------------------------------------------------------------------- Identifying UWP Apps UWP apps have a distinct naming convention that can help you identify them. The name format is typically: _ For example, the Dropbox app appears as Microsoft.WindowsNotepad_8wekyb3d8bbwe Whenever you encounter references to the Packages folder or these unique naming patterns, you’re likely dealing with a UWP application . Recognizing these traces will help you uncover valuable insights in your investigations. --------------------------------------------------------------------------------------------------------- Final Thoughts: Why UWP Forensics Matters The rise of UWP applications  means forensic analysts must adapt their techniques. Unlike traditional software, UWP apps store artifacts in separate per-application directories and virtualized registry hives , making them easy to overlook. 🚀 Key Takeaway:  If you’re conducting a forensic investigation on a Windows system, don’t ignore UWP applications!  They could hold critical evidence that traditional forensic techniques might miss. ---------------------------------------Dean---------------------------------------------------------

Windows keeps track of many user activities, and one of the lesser-known but valuable forensic artifacts  is the Background Activity Moderator (BAM)  and Desktop Activity Moderator (DAM) . These registry keys store evidence of executed programs , making them useful for tracking user activity, malware execution, and forensic investigations . ----------------------------------------------------------------------------------------------------------- What Are BAM and DAM? 🔹 Background Activity Moderator (BAM) First introduced in Windows 10 (build 1709)  and still present in Windows 11 . Stores the full path of an executable  and the last execution timestamp . Designed to regulate background activity  to improve battery life  and system efficiency. Entries expire after seven days  if the program is inactive. 🔹 Desktop Activity Moderator (DAM) Functions similarly to BAM but focuses on desktop applications . Primarily found on devices using Modern Standby , a power management feature that limits desktop app activity when the screen is off. Less commonly found on desktop PCs but can still appear on some systems. Key Point:  Both BAM and DAM store execution timestamps but are not permanent records — entries are removed after seven days of inactivity  or upon system reboot if the executable has been deleted . ----------------------------------------------------------------------------------------------------------- Where Are BAM and DAM Stored in the Registry? BAM and DAM data is recorded per user profile , meaning each user has their own set of logs. SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID} SYSTEM\CurrentControlSet\Services\Dam\UserSettings\{SID} Each user’s data is stored under their Security Identifier (SID) , so you must identify the correct SID before extracting execution records. ----------------------------------------------------------------------------------------------------------- What Data Do BAM and DAM Store? Each BAM/DAM entry contains: ✅ Full Path of Executable  – The exact location of the program that was run. ✅ Last Execution Timestamp  – A 64-bit Windows FILETIME timestamp , showing when the program was last executed. ✅ User-Specific Data  – Entries are tied to individual users, identified by their SID . ----------------------------------------------------------------------------------------------------------- Why Is BAM/DAM Important in Digital Forensics? ✅ 1. Even if a user deletes an application, BAM may still contain a record of its execution  for up to seven days . ✅ 2. If malware ran on a system, BAM/DAM could provide evidence of when and where it was executed . However, malware running from USB drives or network shares  will not  appear in BAM. ✅ 3. Analysts can determine which programs a user interacted with , when they were used , and whether any unauthorized applications  were executed. ✅ 4. BAM timestamps can vary by several minutes , it’s best to cross-reference BAM data with: Prefetch files   UserAssist registry ShimCache & AmCache artifacts ----------------------------------------------------------------------------------------------------------- Limitations of BAM and DAM ⚠️ Entries Are Not Permanent  – BAM records are deleted after seven days  of inactivity. ⚠️ No Records for Network/USB Executions  – Programs executed from removable drives or network shares  are not logged  in BAM. ⚠️ Timestamps May Be Slightly Off  – Execution times in BAM may differ by a few minutes  from actual program launch times. Because of these limitations, BAM/DAM should be used alongside other forensic artifacts  for a complete investigation. ----------------------------------------------------------------------------------------------------------- Final Thoughts: A Simple Yet Powerful Execution Artifact The BAM and DAM registry keys  provide a quick way to track recently executed applications  on a Windows system. While entries only last for seven days , they can still offer crucial insights  into user activity, malware infections, and forensic investigations . 🚀 Key Takeaway:  If you’re investigating recent application execution on Windows (especially within the last seven days) , BAM/DAM should be one of your go-to forensic artifacts!  🔍 ----------------------------------------Dean---------------------------------------------------

When it comes to USB key forensics, understanding the timeline of device connections and disconnections can be crucial. Key Timestamps to Track: Windows starts recording three important timestamps for USB devices: First Time Device Connected Last Time Device Connected Removal Time New Times in Windows 8+ Registry Structure In Windows 8 and above, you'll find additional timestamp information in the USBStor  registry key, specifically under the Properties  key with the GUID {83da6326-97a6-4088-9453-a1923f573b29} . 0064 : First Install Date of the device (Windows 7 and Win8) 0066 : Last Connected Date of the device (Windows 8+ only) 0067 : Last Removal Date (Windows 8+ only) This GUID appears in several device categories such as HID (Human Interface Devices), USBSTOR (USB storage devices), MTP (Media Transfer Protocol), and others. Locations to Find Timestamps Data First Install Date Registry Path: SYSTEM\CurrentControlSet\Enum\USBSTOR\Device-Class\Device-SerialNumber\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064 Last Connected Date Registry Path: SYSTEM\CurrentControlSet\Enum\USBSTOR\Device-Class\Device-SerialNumber\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 Last Removal Date Registry Path: SYSTEM\CurrentControlSet\Enum\USBSTOR\Device-Class\Device-SerialNumber\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 -------------------------------------------------------------------------------------------------- How It Works in Modern Windows Systems: Starting from Windows 7, the First Time Device Connected  timestamp was introduced . With Windows 8 and newer versions, additional timestamps were added to track the Last Time Device Connected  and Removal Time . Timestamps are stored in FILETIME format , which is a way of recording time in 64-bit values. Now Question you willl ask what if i am working on older version Fair Point But i got you covered If you’re working with Windows XP or Windows 7, you won’t find the Last Removal Time but you can still use other logs like XP: C:\Windows\setupapi.log Vista+: C:\Windows\inf\setupapi.dev.log The logs  to track when a device was first connected . Keep in mind that older systems use different methods for tracking connection times. -------------------------------------------------------------------------------------------------- How to Make the Process Faster: Use Registry Explorer   this will help speed up the process. This will help you piece together a timeline of USB device activity and track any suspicious behavior during your investigation. -------------------------------------------------------------------------------------------------- Conclusion: Tracking USB device activity is a powerful tool for forensic examiners. By utilizing the registry’s timestamps, you can quickly find when a device was connected, removed, and even when it was first installed. Always document the key details of each device, and cross-reference timestamps to build a clear timeline of event ---------------------------------------------Dean------------------------------------------

When investigating user activity on a Windows system, one of the most valuable forensic artifacts is the RecentDocs  registry key. This key maintains a list of recently opened files and folders , allowing analysts to track file interactions, identify potentially suspicious behavior, and even estimate timeframes for when files were accessed. ------------------------------------------------------------------------------------------------------------- Where is the RecentDocs Key Located? The RecentDocs  key is found in the user-specific registry hive: NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs ------------------------------------------------------------------------------------------------------------- What Data Does RecentDocs Contain? ✅ Last 150 Files Opened (Any Type)   ✅ RecentDocs creates subkeys for different file extensions (e.g., .docx, .pdf, .eml), each storing the last 20 files  opened of that type. ✅ last 30 folders  opened by the user. ✅ MRU (Most Recently Used) Order  – Items are stored in a list format , with Item 1 being the most recently accessed. ✅ Potential Web Searches & Downloads  – Some browsers and Windows search features may log visited websites and downloads  under RecentDocs. --------------------------------------------------------------------------------------------------------------------------- Understanding RecentDocs Timestamps The RecentDocs key itself  has a last write timestamp , which updates every time a new file is opened. However, individual entries within RecentDocs do not store timestamps —except for the most recently used item  in each subkey. 🔹 How This Works: If you open multiple .docx files, only the most recent one  in the .docx subkey will have a timestamp. Older entries remain in order but do not store exact access times . Even though older entries lack timestamps, the MRU list order  can help estimate time ranges. --------------------------------------------------------------------------------------------------------------------------- How RecentDocs Helps in Forensic Investigations 🔍 1. Tracking User Activity Recent Docs provides insight into what files and folders a user interacted with , helping investigators build a digital footprint . 💾 2. Recovering Deleted Evidence Even if a f ile has been deleted, its record in RecentDocs remains  until overwritten —allowing analysts to recover evidence of past activity. 🕵️ 3. Identifying Suspicious Behavior Data Theft:  If a user accessed multiple sensitive files before an unauthorized data transfer, it could indicate data exfiltration . Malware Execution:  If ransomware was detected on a system, RecentDocs might reveal which file triggered the infection . Insider Threats:  Analyzing which files were accessed before a breach  can help determine whether an employee played a role . --------------------------------------------------------------------------------------------------------------------------- Final Thoughts: A Simple Yet Powerful Forensic Tool The RecentDocs  registry key is an essential forensic artifact  for understanding user interactions with files and folders. By analyzing its MRU lists, subkeys, and timestamps, investigators can track user behavior, uncover deleted evidence, and reconstruct activity timelines . If you're conducting an investigation, don’t overlook RecentDocs—it could be the key to uncovering what really happened on a system!  🚀 ------------------------------------------Dean--------------------------------------------------

Updated 24 Feb,2024 When investigating a macOS system, understanding its device information , user accounts , and network settings  is critical. ------------------------------------------------------------------------------------------------------------- Finding macOS Version and Build Information Your macOS version and build number are crucial details, often needed for software compatibility, troubleshooting, and security updates. You can find this information in the SystemVersion.plist  file, which is located in: 📂 /System/Library/CoreServices/SystemVersion.plist For example, if you’re running BigSur (11.2.3), the file will show something like this: System Name:  macOS Version:  11.2.3 Build Number:  20D91 Command : Use cat on a live system to view the .plist file contents. This tells you exactly what version of macOS you're using, which can be helpful when checking for updates or debugging issues. ------------------------------------------------------------------------------------------------------------- Retrieving Your Mac’s Serial Number Your Mac’s serial number is unique to your device and can be retrieved in several ways. The easiest method is through the system_profiler  command: system_profiler SPHardwareDataType | grep "Serial Number" However, on newer versions of macOS, Apple stores the serial number in encrypted databases. One such place is the cache_encryptedA.db  file , where the serial number is often stored in a table named TableInfo . I have used UAC script to collect artifact. I searched Serial Number and found For forensic analysts or tech-savvy users, extracting this information might require additional database query techniques. ------------------------------------------------------------------------------------------------------------- Finding macOS Installation and Setup Dates Want to know when your Mac was first set up? Here are some ways to find out: 1️⃣ Original System Setup Date The file .AppleSetupDone  (located in /private/var/db/) is created when you first complete your Mac’s setup process. The access or modification date of this file can give you an idea of when the system was first registered or set up. 2️⃣ macOS Installation Dates Each time macOS is installed or updated, a record is logged in install.log  files located in: 📂 /private/var/log/install.log If these log files haven’t been overwritten, you can check them to see when different macOS versions were installed. 3️⃣ Software Update History For more detailed timestamps of software installations and updates, check this file: 📂 /private/var/db/softwareupdate/journal.plist This file provides detailed logs of when system updates were applied, making it useful for tracking system changes. ------------------------------------------------------------------------------------------------------------- Checking the System Time Zone Configuration Your Mac stores its current time zone settings in multiple places. The /etc/localtime  file contains the active time zone value. Command: ls -la /etc/localtime For example, if the system is set to Eastern Time (New York), it will reflect in this file. You can also check the time zone settings in the .GlobalPreferences.plist  file , located at: 📂 /Library/Preferences/ Command : plutil -p /Library/Preferences/.GlobalPreferences.plist However, if you've switched from using location-based time zone settings to a manually set time zone, this plist might not update automatically. Is Location Services Being Used for Time Zone Updates? If you’re curious whether your Mac is automatically adjusting the time zone using Wi-Fi or GPS, check this file: 📂 /Library/Preferences/com.apple.timezone.auto.plist Command : cat /Library/Preferences/com.apple.timezone.auto.plist or plutil -p /Library/Preferences/com.apple.timezone.auto.plist If location services are enabled, macOS will determine your time zone based on nearby Wi-Fi networks, which might explain why your time zone occasionally changes when you travel. ----------------------------------------------------------------------------------------------------------------------------- When managing a macOS system, knowing the different types of user accounts and their permissions is crucial. Types of User Accounts in macOS Every user account in macOS falls into one of these categories: Administrator : Has full control over the system. Standard : A regular user account with permission to install apps and change personal settings but without full system control. Managed with Parental Controls : Allows restrictions on app usage, content access, and screen time. Sharing Only : Used for network access without a full user account. Group : Used to organize users for access control in enterprise environments. Guest : Temporary access without a password. Data is deleted upon logout unless configured otherwise. If FileVault is enabled, Guest users can only access Safari, and on macOS 10.7 or later, they cannot log in at all. Where User Data is Stored User and group account information is stored in the directory: /private/var/db/dslocal/nodes/Default/users/ (for users) /private/var/db/dslocal/nodes/Default/groups/ (for groups) The account details are stored in property list (.plist) files, which can be either: XML format  (macOS 10.6 and earlier) Binary format  (macOS 10.7 and later) Accessing these files requires root privileges. Note that users managed via Open Directory (similar to Active Directory) do not have a local .plist file in this directory Tracking Deleted User Accounts When a user account is deleted, macOS provides three options: Save the home folder in a disk image (DMG)  – The most common option, saving the user’s files in /Users/Deleted Users/. Keep the home folder in place  – The user is deleted, but their files remain. Delete the home folder   – Removes all associated data permanently. Deleted user records are stored in the com.apple.preferences.accounts.plist  file under the deletedUsers key, located at: /Library/Preferences/ This file contains: The deleted user’s real name User ID (UID) Username Deletion date Tracking User Login Activity Login-related information is stored in the com.apple.loginwindow.plist  file located at: /Library/Preferences/ or Command : plutil -p com.apple.loginwindow.plist Key details include: lastUser – The currently logged-in user (if the system was imaged live). autoLoginUser – If automatic login is enabled, this field stores the username. lastUserName – The last user who logged in. RetriesUntilHint – Number of failed attempts before a password hint appears. GuestEnabled – Indicates whether the Guest account is active. Automatic Login and Password Storage If a user enables automatic login , macOS stores the password in an encoded format in the file: /etc/kcpassword The password is XOR-encoded with a multi-byte key. A Ruby script can decode it if necessary: sudo ruby -e 'key = [125, 137, 82, 35, 210, 188, 221, 234, 163, 185, 31]; IO.read("/etc/kcpassword").bytes.each_with_index { |b, i| break if key.include?(b); print [b ^ key[i % key.size]].pack("U*") }' However, automatic login is disabled if FileVault is enabled or if the user logs in via iCloud credentials. Managing macOS and iOS Devices For macOS and iOS devices managed by enterprises, configurations and restrictions are controlled through Mobile Device Management (MDM) . These devices contain configuration profiles stored in: /private/var/mobile/Library/ConfigurationProfiles/ /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles To check installed profiles: Settings → General → Profiles (or Device Management) Hidden profiles, do not appear in the standard GUI. Restrictions on app installations, purchases, content access, and privacy settings are stored in files like: UserSettings.plist EffectiveUserSettings.plist PublicEffectiveUserSettings.plist These files track device policies, user permissions, and other restrictions. ---------------------------------------------------------------------------------------------- Network Interfaces Information macOS: 📂 /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist Command : cat /Library/Preferences/ SystemConfiguration/NetworkInterfaces.plist or plutil -p /Library/Preferences/ SystemConfiguration/NetworkInterfaces.plist This file stores details about network interfaces available on the system. Each interface has an associated Item key : Item 0:  Typically represents the Wi-Fi interface (e.g., en0, IEEE802.11). Item 7:  Could represent a USB-C hub with an Ethernet port. Each interface entry includes: Description  (e.g., "IEEE802.11" for Wi-Fi, "Ethernet" for wired connections) Unique MAC Address  for the interface Model Key  showing the system’s model 💡 Tip:  You can search for the system model on Apple’s support page  to find exact hardware details.' Network Services Configuration Interface number  (e.g., en0 for Wi-Fi, en1 for Ethernet). Network Type  (e.g., IEEE802.11 for Wi-Fi, Ethernet for wired connections). MAC address : This may be displayed in Base64-encoded format on Linux but can be decoded using                      echo "(encoded MAC)" | base64 –d | xxd Model : Useful for identifying the device's network hardware. macOS: 📂 /Library/Preferences/SystemConfiguration/preferences.plist The NetworkServices  key inside this file contains configurations for different network interfaces: Wi-Fi Interface (en0): Uses DHCP  for automatic IP address assignment. Has a NetBIOS name  for system identification. ---------------------------------------------------------------------------------------------- DHCP Lease Records This directory contains network configurations for DHCP-based connections. 📂 /private/var/db/dhcpclient/leases/ Files are named based on the network interface (e.g., en0.plist, interface.plis t,  en0-MAC.plist or en0-1,12:12:12:12:12:12.plist ). Where there have been multiple connections on an interface, the files in this folder will contain data relating to the most recent connection and other information like Lease Start Date Router MAC Address Assigned IP Address SSID of the Access Point DHCP Lease Duration Router IP Address Packet Data If you are using UAC Script to collect artifact you can get all the information in system profiler text file ------------------------------------------------------------------------------------------------------------ Known Wi-Fi Networks macOS: 📂 /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist These files store information about Wi-Fi networks previously connected to. Each known network is recorded with: SSID Name Captive Portal Status  (e.g., login screens at hotels) Last Connection Time  (stored in local system time) Auto-Connect Preferences 💡 Key Attributes: AddReason:  Determines whether the network was synced via iCloud or manually added. JoinedByUserAt:  The user manually connected to the AP. JoinedBySystemAt:  The system auto-connected to the AP. Older macOS Versions Older macOS versions store known networks differently, using a wifi.ssid.  format within the KnownNetworks  key. 💡 The PreferredOrder  key defines the priority of saved networks— Item 0  being the highest priority. ------------------------------------------------------------------------------------------------------------ Wrapping Up macOS stores a wealth of system information in various locations, and knowing where to look can help you troubleshoot, perform forensic analysis, or simply satisfy your curiosity. 🔍 Now you know how to peek under the hood of macOS!  Let me know if you need more insights or step-by-step guides. 🚀 ------------------------------------------------------Dean-----------------------------------------------

Updated on 23 February, 2025 Early Apple Days Apple was established on April 1, 1976, and quickly made its mark with the Lisa  in the early 1980s , the first public computer featuring a graphical user interface (GUI). Fast forward to 1984, and Apple released the Macintosh , their first affordable personal computer with a GUI, revolutionizing personal computing. Big Moves in the 1990s and Beyond By the late 1990s, Apple was well-established. In 1998, they introduced the HFS+ file system , which helped users manage larger storage devices and improved overall file organization. But things really got interesting in 2001 with the launch of macOS X —a Unix-based operating system that gave the Mac the robustness and reliability it needed. The Evolution of macOS 2012 : With OS X 10.8 (Mountain Lion) , Apple started to unify its desktop and mobile platforms, borrowing elements from iOS. 2016 : Apple rebranded OS X to macOS , beginning with macOS 10.12 (Sierra). 2 017 : The APFS file system  (Apple File System) was introduced to replace HFS+, designed to be faster and more efficient, especially for SSDs. APFS: Apple's Modern File System When Apple introduced APFS  in 2017, it addressed many limitations of its predecessor, HFS+ . Here’s what makes APFS special and why it matters for modern Macs: Optimized for SSDs : APFS is designed to work seamlessly with solid-state drives (SSDs) and flash storage, making your Mac much faster when it comes to file operations. Atomic Safe Save : Ever worried about losing data if your Mac crashes while saving a file? APFS uses a technique called Atomic Safe Save . Instead of overwriting files (which can corrupt data during a crash), it creates a new file and updates pointers—meaning your data is much safer. Full Disk Encryption : APFS builds encryption right into the file system, giving you multiple ways to secure your data using different recovery keys, including your password or even iCloud. Snapshots : One of the coolest features is snapshots , which create a read-only copy of your system at a specific point in time. If something goes wrong, you can roll back to a previous state—perfect for troubleshooting! Large File Capacity : APFS supports filenames with up to 255 characters  and file sizes up to a theoretical limit of 8 exabytes  (that’s 8 billion gigabytes!). So, you probably won’t run out of space anytime soon. Accurate Timestamps : With nanosecond accuracy, APFS records changes precisely—useful for backups, file versioning, and tracking down when exactly something was altered. macOS File Structure: How Your Files Are Organized macOS organizes files and folders into four main domains , each serving different purposes: Domain Description User - User-Specific Files - Controlled by Each User - Hidden ~/Library Directory Local - Apps/Resources for Local System and Users - Controlled by System and Admin Users - /Library System - System Software Installed by Apple - Controlled by System - /System/Library Network - Apps/Resources on Local Network - Controlled by Network Administrator - Other systems, printers, Time Capsules, NAS, etc. 1. User Domain  (/Users) or User Library This is w here all the files related to your user account live . It includes the home directory, which stores personal documents, downloads, music, and more. Each user on the system has their own isolated space here. There’s also a hidden Library  folder within each user account, where your apps store personal preferences and data. Key folders in the User Domain : Home Directory : Your personal space, with folders like Documents , Downloads , and Desktop . Public Directory : A space where you can share files with others who use the same Mac. User Library : Hidden by default, but this folder is a treasure trove for advanced users and app developers. It contains your preferences, app data, and cached files. If you ever need to dig in, you can reveal it using a simple Terminal command: chflags nohidden /Users//Library 2. Local Domain  (/Library) or Local Library This domain c ontains files and apps that are shared across all users on the Mac. Apps installed via the Mac App Store will be located in the /Applications  folder. There’s also a / Developer  folder here if you’ve installed Xcode or developer tools. /Library – Library files shared across all users. 3. Network Domain  (/Network) The Network Domain  is for shared resources like network drives or printers. In an office setting, this is where you’d find shared servers or Windows file shares. It’s managed by network administrators and isn’t something the average user interacts with often. 4. System Domain  (/System) System Library This is where Apple stores the critical components that make macOS run smoothly. I t’s locked down so that regular users can’t accidentally delete something important. You’ll find OS-level libraries and apps here, safely tucked away from tampering. /System/Library/ A Deeper Look into the User Domain Every user account on macOS has its own Library directory  (~/Library/), which contains various subdirectories packed with forensic gold. The tilde (~) is a shortcut that represents the user’s home directory, so if you’re examining a user named Dean, her Library path would be /Users/Dean/Library/. 1. Containers Directory (Introduced in macOS 10.7) Apple introduced sandboxing  to enhance security, and the Containers directory  plays a crucial role here. Applications that are sandboxed store their data inside ~/Library/Containers/ rather than the traditional Application Support  directory. This means that if you don’t find what you’re looking for in Application Support , you should check Containers  as well. Each container is named in reverse DNS format , such as com.apple.Safari. Inside, you’ll often find a metadata.plist  file that provides information about the app’s sandbox environment. 2. Application Support Directory Think of this as the macOS equivalent of AppData  on Windows. Located at ~/Library/Application Support/ this directory stores configuration files, databases, and other application-specific data. The way each application stores its data varies, so you might find SQLite databases, property list files (.plist), or even proprietary formats. 3. Caches Directory Applications generate a lot of temporary files, and macOS keeps them organized inside ~/Library/Caches/ These cached files may be named using reverse DNS format  (e.g., com.google.Chrome), or simply follow a company’s folder structure (e.g., Adobe/Photoshop/). Cached data can sometimes reveal user activities, recently accessed files, or browsing history. 4. Preferences Directory (.plist Files) User preferences for applications are stored in property list files (.plist) , usually found in ~/Library/Preferences/ These files follow the reverse DNS format , such as com.apple.TextEdit.plist. By examining these files, forensic analysts can uncover user settings, saved states, and even recent application interactions. ------------------------------------------------------------------------------------------------------- Data Directory and Symbolic Links In sandboxed applications, the Data directory within Containers mimics a user’s home directory but with strict access controls. Some directories inside it are symbolic links , meaning they redirect to actual files elsewhere on the system. The ones that are not  links often contain the most valuable forensic data, such as app-specific databases and usage logs. For example, Apple Maps  stores its primary database here, which can be crucial for location-based investigations. ------------------------------------------------------------------------------------------------------- Wrapping Up Forensic analysis on macOS can be tricky due to Apple’s unique approach to data storage and security. However, once you know where to look, the Library directory  and core system directories hold a wealth of useful artifacts. Whether you’re investigating user preferences, app data, cached files, or system logs, each directory has its own forensic story to tell. Next time you’re analyzing a macOS system, keep this guide handy—it might just lead you to the evidence you need! -----------------------------------------Dean---------------------------------------------

Microsoft Office is widely used for business and personal tasks, but it has also been a major target for cybercriminals. One of the most common attack methods has been malicious macros , which execute harmful scripts when an Office document is opened. Malware like Locky, Revil, and Emotet  has successfully exploited this technique for years, often leading to ransomware infections and data breaches. To combat this, Microsoft blocked macros by default in 2022  for files downloaded from the internet . However, many users still need macros for work, and attackers continuously find workarounds. For forensic investigators and cybersecurity professionals, tracking which files a user has trusted and enabled macros for  is crucial. Microsoft Office maintains a TrustRecords  registry key that logs this information. T his key provides a long-term record of what d ocuments were trusted, where they were stored, and when the user enabled macros or editing. ------------------------------------------------------------------------------------------------------- Where is TrustRecords Stored in the Registry? Microsoft has kept a TrustRecords  key in the Windows Registry. NTUSER\Software\Microsoft\Office\\Word\Security\Trusted Documents\TrustRecords ------------------------------------------------------------------------------------------------------- What Information Does TrustRecords Contain? Each entry in TrustRecords  logs valuable forensic data: ✅ Full File Path  – The exact location of the document when it was opened (local, USB, network, or cloud). ✅ Timestamp  – When the user trusted  the document and enabled macros or editing. ✅ Permission Type  – Whether the user allowed editing or macro execution . This data can reveal whether a user has intentionally or unknowingly trusted a malicious document , making it an essential artifact in malware investigations. ------------------------------------------------------------------------------------------------------- Why Is This Important in Digital Forensics? 🔍 1. Identifying Malicious Documents If a system is infected with malware, analysts can check TrustRecords  to see if the user opened and trusted a suspicious document . If an attacker sent a phishing email  with a malicious macro , this registry key can confirm whether the victim enabled  the macro. 💾 2. Recovering Evidence of Past Attacks One of the most powerful aspects of TrustRecords  is that it keeps logs for years . Even if a document has been deleted, its trust history  remains in the Registry, making it possible to trace old infections. 🛡️ 3. Auditing Security Practices Businesses can use TrustRecords  to audit user behavior  and determine if employees are frequently enabling macros in untrusted documents. This helps security teams improve training and reduce future risks . 🖥️ 4. Tracking External & Cloud Documents The registry logs files trusted from different locations , including: Local storage  (C:\Users\PCUser\Documents\report.doc) USB devices  (E:\Malware_Invoice.doc) Network shares  (\CompanyServer\Shared\Finance.xlsm) Microsoft 365 Cloud  (OneDrive documents) This makes it useful for tracking document movement  and identifying external storage devices  used in an attack. ------------------------------------------------------------------------------------------------------- Final Thoughts: A Hidden Treasure for Investigators The TrustRecords  registry key is a goldmine of forensic evidence  when investigating macro-based attacks, phishing incidents, and document-based malware infections. Forensic investigators and cybersecurity professionals should always check this key  when analyzing: ✔️ Malware infections ✔️ Phishing attacks ✔️ Insider threats ✔️ Suspicious document activity By leveraging TrustRecords , we can uncover hidden evidence, track user behavior, and strengthen defenses against macro-based malware attacks . 🚀 ---------------------------------------Dean--------------------------------