Please enable JavaScript.
Coggle requires JavaScript to display documents.
Artefact Acquisition Checklist, :check: Preference :star: Recommended -…
Artefact
Acquisition Checklist
Execution
Windows
Event Logs
Log Channels
: PowerShell, Security, Sysmon
ShimCache
Registry Key:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache
Analysis Tools:
:star: AppCompatParser :check: ShimCacheParser (Mandiant)
Prefetch
Path:
C:\Windows\Prefetch
Analysis Tools:
:check: PECmd
Amcache
Path:
C:\Windows\appcompat\Programs\Amcache.hve
Analysis Tools:
:star: AmcacheParser :check: RegRipper (amcache)
Jumplists
Path:
:check: %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations
:check: %APPDATA%\Microsoft\Windows\Recent\CustomDestinations
Analysis Tools:
:star: JLECmd :check: JumpListExplorer
LNK Files
Path:
%APPDATA%\Microsoft\Windows\Recent Items
Analysis Tools:
LECmd
UserAssist
Registry Key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Collection Tools:
:check: UserAssistView
RunMRU
Registry Key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
ShellBags
Collection Tools
: :star: ShellBagExplorer :check: SBags
Analysis Tools
: :check: SBECmd :star: ShellBagExplorer
Registry Key:
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagsMRU
Linux
Commands
: PS, history
Collection Sources:
Auditd
Files:
bash_history
Network Connections
Windows
Collection Tools:
:star: CurrPorts :check: TCPView :star: tcpdump :star: eXirNetwork
Analysis Tools:
:check: Wireshark
Linux
Commands:
:star: netstat :check: SS :check: tcpdump
Collection Tools:
:star: tcpdump
Analysis Tools:
:star: Wireshark
Services
Windows
Utility:
:check: SC, :check: AutoRuns (SI)
Linux
Command:
systemctl list-unit-files --type service --all
User Accounts and Groups
Windows
Commands:
NET, WMIC
Linux
Paths:
:check: /etc/group :check: /etc/passwd
Login Statistics
Event Logs
Collection Tools:
:star: PsLoggedOn :star: LogonSessions
Volatile Artifacts
Memory
Windows
Collection Tools:
:check: Redline :check: DumpIt (<8GB) :star: Belkasoft Capturer (>8GB) :check: FTK Imager
Analysis Tools:
:check: Volatility (2/3) :star: MemProcFS :check: Volatility Workbench
Linux
Collection Tools:
:check: LiME :check: Redline :star: AVML
Analysis Tools:
:star: Volatility (2/3) :check: Freta
Registry Hives
Keys
Auto-start Entry Points
Collection Tools:
:star: AutoRuns, :check: What's In Startup
MountPoints
Collection Tools:
USBView (Nirsoft)
Hives
Paths:
:star: C:\Windows\System32\Config
:star: %USERPROFILE%\NTUSER.dat
:star: %USERPROFILE%\AppData\Local\Microsoft\Windows\UsrClass.dat
Browsers
History
Collection Tools:
:star: BrowsingHistoryView (Nirsoft)
Analysis Tools:
:star: Autopsy (Requires disk image)
Cache
Collection Tools:
CacheView (Nirsoft)
Event Logs
Windows
Path
: C:\Windows\System32\winevt\Logs\
Analysis Tools
: :star: Event Log Explorer, :check: Redline
Collection Tools
: :check: eXir, :check: Redline
Linux
Path
: /var/log/
Collection Tools
: :check: eXir, :star: UAC
Analysis Tools
: :check: ELK
Scheduled Tasks
Windows
Command:
schtasks.exe
Collection Tool:
:star: eXir :check: Redline
Registry Key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
Linux
CRON
Command:
for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done
Collection Tool:
:star: eXir :check: Redline
Virtual Machines
VMWare
Processing Tools:
:check: VMWare
Artifacts:
:star: VMDK (Disk Image)
:star: VMEM (Memory)
:star: VMSS (Suspended States)
:star: VMSN (Snapshot)
:check: Preference
:star: Recommended