프로그램 실행 관련 아티팩트 모음
DFIR/기타 개념

프로그램 실행 관련 아티팩트 모음

지속적으로 추가하겠습니다.

 

Registry

 

MuiCache

  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

AppCompatCache

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache

AppCompatFlags

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store

UserAssist

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

ComDlg32

  • NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32

FeatureUsage

FirewallRules

  • HKEY_LOCAL_MACHINE\System\ControlSet00X\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

BAM

  • HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bam\State\UserSettings

 


 

Prefetch

  • C:\Windows\Prefetch

Jumplist

  • C:\Users\{User}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
  • C:\Users\{User}\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

Windows 10 Timeline

  • C:\Users\{User}\AppData\Local\ConnectedDevicesPlatform\d9f5cd4e0177059a\ActivitiesCache.db

SRUM

  • C:\Windows\System32\sru\SRUDB.dat

Amcache

  • C:\Windows\appcompat\Programs\Amcache.hve