🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page

Was this helpful?

  1. Windows Artifacts
  2. Windows Quick Tips

Workstation File/Folder Locations

  1. System Configuration and Registry

    • C:\Windows\System32\config\: Contains the Registry hives.

    • C:\Windows\regedit.exe: Registry Editor, for accessing the Windows Registry.

  2. User Data and Profiles

    • C:\Users\: User profile directories containing personal files, settings, and application data.

    • C:\Users\[Username]\AppData: Application data, roaming profiles, and user-specific settings.

  3. Logs and Event Files

    • C:\Windows\System32\winevt\Logs: Event logs for system, security, and application events.

    • C:\Windows\System32\config: Also contains some system logs.

  4. Program Files and Applications

    • C:\Program Files and C:\Program Files (x86): Installed applications.

    • C:\Windows: Core operating system files.

  5. Temporary Files

    • C:\Windows\Temp: System temporary files.

    • C:\Users\[Username]\AppData\Local\Temp: User-specific temporary files.

  6. Startup Items

    • C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup: Startup items for individual users.

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp: Startup items for all users.

  7. Task Scheduler and Automated Tasks

    • C:\Windows\System32\Tasks: Task Scheduler tasks.

    • C:\Windows\Tasks: Automated tasks created by older applications.

  8. Windows Registry Key Locations for Autostart Items

    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run: Programs that run on system startup.

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run: User-specific programs that run on startup.

  9. Temporary Internet Files and Browser Data

    • C:\Users\[Username]\AppData\Local\Microsoft\Windows\INetCache: Internet Explorer cache.

    • C:\Users\[Username]\AppData\Local\Google\Chrome\User Data\Default\Cache: Google Chrome cache (similar paths for other browsers).

  10. System Restore Points and Shadow Copies

    • C:\System Volume Information: System Restore points and Volume Shadow Copy service files.

  11. Prefetch Files (Application Launch Information)

    • C:\Windows\Prefetch: Files that help in speeding up the application launch.

  12. Recycle Bin

    • C:\$Recycle.Bin: Files that have been deleted but not permanently removed.

  13. Windows Event Tracing Logs

    • C:\Windows\System32\winevt\Logs: Event Tracing for Windows (ETW) logs, which record system operation and performance data.

  14. Security Software Logs

    • Varies by vendor: Security solutions (antivirus, EDR, firewalls) often have their own logging directories.

  15. File History Backup

    • C:\Users\[Username]\AppData\Local\Microsoft\Windows\FileHistory: Configuration and storage for the Windows File History feature.

  16. Crash Dumps

    • C:\Windows\Minidump: Contains mini-dump files generated during a system crash (BSOD).

    • C:\Windows\MEMORY.DMP: Full memory dump file.

  17. Installed Programs and Updates

    • C:\Windows\Installer: Storage location for installation files and patches.

    • C:\Windows\SoftwareDistribution\Download: Windows Update files.

  18. Networking Information

    • C:\Windows\System32\drivers\etc\hosts: Hosts file for manual IP address mapping.

    • C:\Windows\System32\drivers\etc\networks: Network configuration files.

  19. Command History

    • For PowerShell: C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Common Directories w/ Servers

  • C:\Windows: Core operating system files.

  • C:\Windows\System32: Essential system files and DLLs.

  • C:\Windows\Prefetch: Information about application launch activities and timings.

  • C:\ProgramData: Application and system-wide data.

  • C:\Users: User profiles and personal files.

PreviousWindows Command LineNextServer File/Folder Locations

Last updated 1 year ago

Was this helpful?