지속적으로 추가하겠습니다.
Registry
MuiCache
- HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
- HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
AppCompatCache
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache
AppCompatFlags
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
UserAssist
- NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
ComDlg32
- NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
FeatureUsage
- NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage
- https://www.crowdstrike.com/blog/how-to-employ-featureusage-for-windows-10-taskbar-forensics/
FirewallRules
- HKEY_LOCAL_MACHINE\System\ControlSet00X\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
BAM
- HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bam\State\UserSettings
Prefetch
- C:\Windows\Prefetch
Jumplist
- C:\Users\{User}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
- C:\Users\{User}\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
Windows 10 Timeline
- C:\Users\{User}\AppData\Local\ConnectedDevicesPlatform\d9f5cd4e0177059a\ActivitiesCache.db
SRUM
- C:\Windows\System32\sru\SRUDB.dat
Amcache
- C:\Windows\appcompat\Programs\Amcache.hve
'DFIR > 기타 개념' 카테고리의 다른 글
Atola Taskforce E01 이미지 생성 과정 (3) | 2022.06.23 |
---|---|
VMware Drag and Drop File 경로 (0) | 2022.05.27 |
Falcon NEO 디스크 이미징 수행 과정 (0) | 2022.01.10 |
디지털 포렌식 맛보기#2 (0) | 2021.07.06 |
디지털 포렌식 맛보기#1 (0) | 2021.06.27 |