Skip to content

Windows

$MFT Master File Table

MRU Most Recently Used

  • NTUSER.dat
  • Can be read with RegRipper with the plugin runmru.
    • Pulling the UserAssist, which stores the latest applications, shortcuts and documents opened by the user
      • rip.exe -p userassist -r ../NTUSER.DAT

USN Journal (Update Sequence Number Journal)

C: \ $ Extend \ $ UsrJrnl,

Logs

C: \ Windows \ system32 \ winevt \ logs

User logins

Each time a session is started the user profile is loaded. This action leaves a record in the Microsoft-Windows-User Profile Service log/Operational.evtx

Registry

C: \ Windows \ system32 \ config

  • Timezone: HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
  • Computer Name: HKLM\SYSTEM\CurrentControlSet\Control\ComputerName
  • Last Shutdown: HKLM\SYSTEM\CurrentControlSet\Control\Windows -> ShutdownTime
  • Build Number: HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion\CurrentBuildNumber

Prefetch

File extensions of interest

http://www.hexacorn.com/blog/2019/02/11/file-extensions-of-interest/