Appendix 1 - Windows 10 Artifact Locations

Appendix 1 - Windows 10 Artifact Locations Camera App Photos stored at File Format Shared photos Registry track to user at RecentDocs for .jpg at: C...

Author: Reynold Allison

23 downloads 2 Views 60KB Size

Report

Download PDF

Recommend Documents

WINDOWS 10. Modul 1 - Grundlagen

POWER WINDOWS Pontiac Bonneville DESCRIPTION OPERATION COMPONENT LOCATIONS ADJUSTMENTS WINDOWS

Windows 10

Windows 10 Kapitel 1 Grundlagen Lektion 1 Ein erster Blick auf Windows 10

Appendix D - Page 1 of 10

Business Locations on pages 1-9 Kwik Trip Locations featured on pages 10-11

Introduction to Windows 7. Appendix H: Windows 7 HomeGroup

Microsoft Windows 10. Microsoft Windows 10: New Features

Mapping Guidelines - Appendix 10

SYSTEMSTEUERUNG WINDOWS 10

Umstieg auf Windows 10

Windows 7 update auf Windows 10

GradeQuick 10 for Windows

Streifzug durch Windows 10

Windows 10. leicht gemacht

2 APPENDIX 3 APPENDIX 1 APPENDIX. Overview

Nicht vergessen: Windows 10

n Windows 10

windows-10-update-history

Windows 10 for beginners

Leitfaden Windows 10 Migration

Microsoft Windows 10

Nicht vergessen: Windows 10

WINDOWS 10 CREATORS UPDATE

Appendix 1 - Windows 10 Artifact Locations Camera App Photos stored at File Format Shared photos Registry

track to user at RecentDocs for .jpg at:

C:\Users\\Pictures\Camera Roll WIN_20151106_10_48_48_Pro.jpg - WIN / Date in YMD / Time HH_MM_SS / Pro.jpg NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharingMFU NTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.jpg

Registry

RecentDocs for .jpg at:

NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.jpg&ls=0&b=0

Cortana Contacts

contacts.json file

CortanaCoreDB.dat

Main page tracking

C:\Users\\AppData\Local\Packages\\LocalState\Cortana\Upload\ C:\Users\\AppData\Local\Packages\\LocalState\ESEDatabase_CortanaCoreIns tance C:\Users\\AppData\Local\Packages\\AppData\Indexed DB\IndexedDB.edb

IndexedDB.edb

Indexed search data

Local Speech Main Cache

Saved WAV files Main page storage

Searches

DestList (Jump Lists)

Searches

.JSON Files

Searches

Jump Lists

C:\Users\\AppData\Local\Packages\\AC\AppCache\ C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9d1f9 05ce5044aee.automaticDestinations-ms C:\Users\\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\IN etCache\ C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9d1f9 05ce5044aee.automaticDestinations-ms

Searches Searches

Link Files Registry .com/search

C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\https NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts / .com

Searches

Registry RecentDocs

Searches Searches

Voice Recordings WebCacheV01.dat

NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.&input= C:\Users\\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Local State\LocalRecorder\Speech C:\Users\\AppData\Local\Microsoft\Windows\WebCache

Defrag Registry

Last Defrag

SOFTWARE\Microsoft\Dfrg\Statistics\Volume

C:\Users\\AppData\Local\Packages\\LocalState\LocalRecorder\Speech

© Syntricate

Page 1

Appendix 1 - Windows 10 Artifact Locations

Edge Downloads

Main Application File System storage

C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe C:\Users\\Downloads

Downloads Downloads Event Logs

Edge Cache WebCacheV01.dat

C:\Users\\AppData\Local\Packages\\AC\#!001\MicrosoftEdge\Cache\ C:\Users\\AppData\Local\Microsoft\Windows\WebCache C:\Windows\System32\winevt\Logs

Favorites

Saved favorites

Favorites

Registry

InPrivate Browsing InPrivate Browsing Internet Explorer

Recovery WebCacheV01.dat Cache

C:\Users\\AppData\Local\Packages\\AC\MicrosoftEdge\User\Default\Favorites\ UsrClass.dat\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\mic rosoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\ C:\Users\\AppData\Local\Packages\\AC\MicrosoftEdge\User\Default\Indexed DB\ C:\Users\\AppData\Local\Packages\\AC\MicrosoftEdge\User\Default\Recovery\ Active C:\Users\\AppData\Local\Microsoft\Windows\WebCache C:\Users\\AppData\Local\Microsoft\Windows\WebCache

Jump Lists

File tracking

C:\Users\\AppData\Roaming\Microsoft\Windows\Recent

Link Files

File tracking

C:\Users\\AppData\Roaming\Microsoft\Windows\Recent

Local browsing Log Files

History - File Explorer

C:\Users\\AppData\Local\Microsoft\Windows\WebCache C:\Users\\AppData\Local\Microsoft\OneDrive\logs\Common and Personal

Main Cache

TIF Page storage

Reading List

Files

Reading List

Notes

Reading List

Recovery, last session

Reading List

Spartan.edb

C:\Users\\AppData\Local\Packages\\AC\#!001\MicrosoftEdge\Cache\ C:\Users\\AppData\Local\Packages\\AC\#!001\MicrosoftEdge\User\Default\Web Notes C:\Users\\AppData\Local\Packages\\AC\MicrosoftEdge\User\Default\DataStore\ Data\nouser1\\ReadingList\ C:\Users\\AppData\Local\Packages\\AC\MicrosoftEdge\User\Default\Recovery\ Active C:\Users\\AppData\Local\Packages\\AC\MicrosoftEdge\User\Default\DataStore\ Data\nouser1\\DBStore\

IndexedDB.edb

© Syntricate

Page 2

Appendix 1 - Windows 10 Artifact Locations

Recovery

Last open pages

Registry

App Information

Registry

App Install Date/Time

Registry

History - Days to Keep

Registry Registry

Registry

TypedURLs TypedURLs Hyperlink

TypedURLsTime

Registry

TypedURLsVisitCount

File Explorer Local Browsing Registry

History RecentDocs

Internet Explorer

Version 11

Registry Registry Registry TIF WebCacheV01.dat

History - Days to Keep TypedURLs TypedURLsTime Storage Tracking History

© Syntricate

C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Micr osoftEdge\User\Default\Recovery\Active\.dat UsrClass.dat\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Pac kages\Microsoft.Microsoftedge\Microsoft.MicrosoftEdge_20.10240.16384.0_neutral__8wekyb3d8b bwe\MicrosoftEdge\Capabilities\FileAssociations UsrClass.dat\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Fa milies\Microsoft.Microsoftedge_8wekyb3d8bbwe\Microsoft.MicrosoftEdge_20.10240.16384.0_neut ral__8wekyb3d8bbwe / InstallTime UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetSettings\Url History / DaysToKeep UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs NTUSER.DAT\SOFTWARE\Microsoft\Internet Explorer\TypedURLs UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsVisitCount

C:\Users\\AppData\Local\Microsoft\Windows\WebCache NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Url History / DaysToKeep NTUSER.DAT\SOFTWARE\Microsoft\Internet Explorer\TypedURLs NTUSER.DAT\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime C:\Users\\AppData\Microsoft\Windows\INetCache C:\Users\\AppData\Local\Microsoft\Windows\WebCache

Page 3

Appendix 1 - Windows 10 Artifact Locations ISO Mounting Jump Lists Registry

File Explorer Virtual RecentDocs

C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd 67f29cb1962.automaticDestinations-ms NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.iso

Jump Lists C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations Jump Lists Common App IDs Common App IDs Common App IDs Common App IDs Common App IDs Common App IDs Common App IDs Common App IDs Common App IDs Common App IDs Common App IDs Common App IDs Common App IDs Common App IDs Common App IDs Common App IDs Common App IDs

AutomaticDestinations MSPaint File Explorer-Virtual IE Version 11 Microsoft Access Wordpad File Explorer Control Panel Windows Store Notepad Edge Browser Windows Photo Zune Music App Excel 2013 PowerPoint 2013 Adobe Acrobat Reader File Explorer Word 2013

DestList Jump Lists Registry

AutomaticDestinations CustomDestinations TaskBar Application List

User Pinned Apps

Link File at:

© Syntricate

12dc1ea8e34b5a6.automaticDestinations-ms 1b4dd67f29cb1962.automaticDestinations-ms 28c8b86deab549a1.automaticDestinations-ms 319f01bf9fe00f2d.automaticDestinations-ms 469e4a7982cea4d4.automaticDestinations-ms 5f7b5f1e01b83767.automaticDestinations-ms 7e4dca80246863e3.automaticDestinations-ms 9a165f62edbfa161.automaticDestinations-ms 9b9cdc69c1c24e2b.automaticDestinations-ms 9d1f905ce5044aee.automaticDestinations-ms a52b0784bd667468.automaticDestinations-ms ae6df75df512bd06.automaticDestinations-ms b8ab77100df80ab2.automaticDestinations-ms d00655d2aa12ff6d.automaticDestinations-ms de48a32edcbe79e4.automaticDestinations-ms f01b4d95cf55d32a.automaticDestinations-ms fb3b0dbfee58fac8.automaticDestinations-ms C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband / FavoritesResolve C:\Users\\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

Page 4

Appendix 1 - Windows 10 Artifact Locations Link Files Link Files Link Files

Recent folder Office only

Cortana

Searches

C:\Users\\AppData\Roaming\Microsoft\Windows\Recent C:\Users\\AppData\Roaming\Microsoft\Office\15.0\Recent (or 16.0) C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\https C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

Jump Lists Link Files

AutomaticDestinations Office only

TaskBar

User Pinned

Mail _sessionState.xml Contacts.txt Pcontacts.txt Storage

tmp contact information Contact information Contact information

C:\Users\\AppData\Roaming\Microsoft\Office\15.0\Recent (or 16.0) C:\Users\\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

C:\Users\\AppData\Local\Packages\\ C:\Users\\AppData\Local\Packages\\ C:\Users\\AppData\Local\Packages\\ C:\Users\\AppData\Local\Comms\Unistore\Data\

store.vol UserDataTempFiles

Mail location; 0=Windows Phone Mail, 2=Contact Data, 3=Mail, 5=Calendar, 7=Attachments Full mail storage C:\Users\\AppData\Local\Comms\Unistore\ Temporary mail C:\Users\\AppData\Local\Comms\UserDataTempFiles\

Notifications

News, tiles, graphics

C:\Users\\AppData\Local\Microsoft\Windows\Notifications\wpnidm

Office Applications CentralTable.accdb Graphics Link Files Log File Information Metadata Metadata Registry Registry

Using Word as example DB tracking Office docs In Word document Office only Microsoft Office Alerts Actual data in Word Document Info Identity Live Account MRU Non Live Account

C:\Users\\AppData\Local\Microsoft\Office\15.0\OfficeFileCache (or 16.0) \word\media\image.jpg C:\Users\\AppData\Roaming\Microsoft\Office\15.0\Recent (or 16.0) C:\Users\Windows\System32\winevt\Logs\OAlerts.evtx \word\document.xml docProps\core.xml NTUSER\SOFTWARE\Microsoft\15.0\Common\Identity\Identities\ NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU

© Syntricate

Page 5

Appendix 1 - Windows 10 Artifact Locations Registry Registry Registry

MRU Live Account Place MRU Reading Locations

Registry Registry

Roaming Identities Trusted Locations

Registry

Trusted Documents

NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\User MRU\LiveId\File MRU NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\User MRU\LiveId\Place MRU NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\Reading Locations NTUSER.DAT\SOFTWARE\Microsoft\Office\15.0\Common\Roaming\Identities\