Please enable JavaScript.
Coggle requires JavaScript to display documents.
Registry Explorer, Event Log Explorer, USB Forensics Tracker, MFTEcmd &…
Registry Explorer
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Computer Name
System\ControlSet001\Control\ComputerName\ComputerName
Time Zone
SYSTEM\ControlSet001\Control\TimeZoneInformation
Startup & Shutdown Time
System\ControlSet001\Control\Windows
TurnedOnTimeView
Network Cards
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards.
Connections History
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
Network Interfaces
\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
Network Shares
SYSTEM\ControlSet001\Services\LanmanServer\Shares
User's Recent Actions
(MRULists)
C:\Users\<USER>\NTUSER.DAT
USB Forensics
User Device Access (GUID correlation)
Installed Apps
AmCacheParser.exe & Timeline Explorer
Persistence - Autorun Apps
Program Usage Insights
C:\Users\<USER>\NTUSER.DAT
Scheduled Tasks
C:\Windows\Tasks
Event Log Explorer
User Activity & Account Events
Object Access Logging: Monitoring File/Folder Activity
Connected Deviced
Windows Serivces
Microsoft Office Dialog Alerts Log
USB Forensics Tracker
MFTEcmd & Timeline Explorer
Parsing $J
Parsing $I30
WifiHistoryView
RegRipper
Exploring SAM
R-Studio
Parsing $MFT
NTFS Log Tracker
Parsing $LogFile
INDXRipper
WinSearchDBAnalyzer
Deleted Files
ShellBagsExplorer
User Folder Activity
LECmd & Timeline Explorer
LNK Analysis
JumpList Explorer & Timeline Explorer
JumpLists
setupapi.dev.log
Device Connection History
AppRepository
MS Store Apps
WxTCMD & Timeline Explorer
Windows Timeline
UserAssit
ShimCacheParser & Timeline Explorer
Apps Compatibility mode
ControlSet001\Services\bam\State\UserSettings
Background Apps
WinPrefetchView
Programs frequently running
SrumECmd & Timeline Explorer
Sytem Resource Usage
version, service pack, build number, and release ID.